Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format, (Sun, Nov 22nd)

Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format, (Sun, Nov 22nd)

SANS Internet Storm Center, InfoCON: green 2020-11-22

In diary entry "Quick Tip: Extracting all VBA Code from a Maldoc" I explain which options to use with oledump.py to extract all VBA code with a single command.

I promised that I would update oledump.py so that it can also produce JSON output with all VBA code.

This is now done with version 0.0.55. Existing option -j (--json) produces a JSON object with the content (base64 encoded) of each stream found inside the analyzed ole file. Combining option -j and -v produces a JSON object with the VBA code (base64 encoded) of each stream module found inside the analyzed ole file:

Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.