Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format

In diary entry "Quick Tip: Extracting all VBA Code from a Maldoc" I explain which options to use with oledump.py to extract all VBA code with a single command.

I promised that I would update oledump.py so that it can also produce JSON output with all VBA code.

This is now done with version 0.0.55. Existing option -j (--json) produces a JSON object with the content (base64 encoded) of each stream found inside the analyzed ole file. Combining option -j and -v produces a JSON object with the VBA code (base64 encoded) of each stream module found inside the analyzed ole file:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

652 Posts
ISC Handler
Nov 22nd 2020
Thread locked Subscribe Nov 22nd 2020
1 year ago

Sign Up for Free or Log In to start participating in the conversation!