Extracting Macros – oledump.py

Another fantastic and easy to use tool to use for extracting macros is oledump.py by Didier Stevens. You can find the tool here. It’s super easy to use, so let’s get to it. The document that I’m using can be found here.

oledump.py

All you need to do is point oledump.py at a document and let it fly. Looking at the results, you can see the streams that contain macros have the letter M in front of them.

oledump
M is for ‘macro’.

You need to use two switches to extract the macros to screen. I don’t find that nearly as useful as just dumping the output to a .txt file. You can repeat that for both streams.

-s  Select a stream and dump its contents.

-v Decompress the selected stream.

oledumpextract.PNG

After this, you can look at the extracted macros at your leisure!

Extracting Macros – OfficeMalScanner

There are a couple of ways that you can extract macros from a Word document. What follows is one of my go-to tools called OfficeMalScanner. We’re going to be using a .docm file called Order_details_U96144.docm. You can download it here.

SHA256: ABD44B168E3E0E5585570BE6695E3511FAADE07301A64550282D98704A57B525

OfficeMalScanner (link)

This tool is an old one, but it is a workhorse for me. There are a few options here, but when it comes to ripping out macros, you’re going to need the two options called ‘info’ and ‘inflate’.

scan: Use this for the older style .doc files and the like; it will save any macros to a new folder.

inflate: Use this for the newer style .docx files and the like; it will decompress the document into a temporary directory.

OfficeMalScanner
OfficeMalScanner

Using OfficeMalScanner with the switch inflate below, you can see that it decompressed the document and saved it here: C:\Users\REM\AppData\Local\Temp\DecompressedMsOfficeDocument.

OfficeMalScanner-inflate
Note the yellow text at the bottom. It tells you what to do next.

You will want to find the file named VBAPROJECT.BIN under the WORD folder and use OfficeMalScanner on it. Note how it says to use the info switch on it.

OfficeMalScanner-vbaproject

Two macros have been extracted. You can now check them out with your favorite text editor.