Extracting Macros – oledump.py

Another fantastic and easy to use tool to use for extracting macros is oledump.py by Didier Stevens. You can find the tool here. It’s super easy to use, so let’s get to it. The document that I’m using can be found here.

oledump.py

All you need to do is point oledump.py at a document and let it fly. Looking at the results, you can see the streams that contain macros have the letter M in front of them.

oledump
M is for ‘macro’.

You need to use two switches to extract the macros to screen. I don’t find that nearly as useful as just dumping the output to a .txt file. You can repeat that for both streams.

-s  Select a stream and dump its contents.

-v Decompress the selected stream.

oledumpextract.PNG

After this, you can look at the extracted macros at your leisure!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s