How to spot Malicious VBA Macro and how to extract it
Malicious VBA Macros in Microsoft Word file (*.docx / *.doc) or Microsoft Excel file (*.xlsx / *.xls) aren’t new, so we’ll try to extract VBA macro from them to understand what it does. Notice this, if you received an empty document with no content or some content that doesn’t make any sense – most probably it is malicious. In addition, Microsoft will ask you to enable the Macro to execute it (if you didn’t change the default security settings of your Microsoft Office). We’ll be using the mighty Didier Stevens oledump python tool to Extract VBA Macro.
Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.
In addition to the “oledump” tool, you can check our OfficeMalScanner tool usage guide, our python oletools setup and usage guide and the script that was developed by us ExcelSheetUnhide Powershell script usage and examples for more Microsoft Office Malware Analysis options.
Setting up Prerequisites and oledump
It is important to note that oledump tool and its prerequisites are installed in FLARE VM. To know more about the VM, you can visit our FLARE VM installation article.
How to setup oledump:
1. Download Python 2.7 (choose your OS version there) – python 2.7 is the version that is supported by oledump.
*** Python 2.7.16 is the last version of python 2.7, since it is not supported anymore.
2. Setup python version that you downloaded.
3. You will need to install oledump dependency OleFileIO module (they have installation instructions onsite).
*** Or you can use pip installer that comes with python after version 2.7.9
3.1. If you installed python to its default directory then “pip2.exe” should be in “C:\Python27\Scripts\pip2.exe”. Pip2 is used to install packages for python 2. This is needed if you have python 3 also installed and your package is python 2 only supported (to install packages for python 3 you will use “pip3.exe”). So , open Command Line and execute:
C:\Python27\Scripts\pip2.exe install olefile
Updating olefile through pip:
C:\Python27\Scripts\pip2.exe install -U olefile
If you installed python 2 with PATH environment variable then you can use it without full path:
pip2 install olefile
pip2 install -U olefile
4. Download Didier Stevens oledump tool (you will find a lot of usage information of the tool, which is very powerful for anything OLE dumping related in Microsoft files) and extract it somewhere that is easy for you to navigate.
Oledump tool usage
The syntax is simple. To check for available VBA Macro streams run in CMD:
oledump.py YourDocument.doc
If for some reason it is not working or you didn’t add python to the PATH environment variable, you can try using the full path to python with oledump:
C:\Python27\python.exe oledump.py YourDocument.doc
The above example is also useful if you have python 3 and python 2 installed on the same computer, but if you added the PATH environmental variable, then use can use easier syntax to execute python scripts with python 2:
py -2 oledump.py YourDocument.doc
After successful execution, you will receive something like this:
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7440 '1Table'
5: 380 'Macros/PROJECT'
6: 41 'Macros/PROJECTwm'
7: M 1329539 'Macros/VBA/ThisDocument'
8: 3449 'Macros/VBA/_VBA_PROJECT'
9: 2909 'Macros/VBA/__SRP_0'
10: 780 'Macros/VBA/__SRP_1'
You can see that there’s “M” character (Macro) next to the 7th stream. To Dump / Extract VBA Macro from the 7th stream, use:
oledump.py -s 7 --vbadecompressskipattributes YourDocument.doc > YourDocumentExportedMacro.txt
It is important to use specific paths for all the files as I’m using relative paths here. Example:
C:\oledump\oledump.py -s 7 --vbadecompressskipattributes C:\Users\User1\Documents\YourDocument.doc > C:\Users\User1\Documents \YourDocumentExportedMacro.txt
There can be other stream numbers in your case, watch for that “M”.
Switches explanations:
“-s 7”
Dump the 7th stream
“–vbadecompressskipattributes”
This is “VBA decompression, skipping initial attributes”
“YourDocument.doc”
Is the Microsoft Office file that you want to extract you Macro from
“>”
Pipe all the CMD output to a text file
“YourDocumentExportedMacro.txt”
The path to the text file to pipe the output to
For full Manual / switches / help / examples of oledump.py, you can use this line:
oledump.py -m
C:\temp\oledump_V0_0_64>C:\Python27\python.exe c:\temp\oledump_V0_0_64\oledump.py c:\temp\W-669398454.xlsb
A: xl/embeddings/oleObject1.bin
A1: 77 ‘\x01CompObj’
A2: 101 ‘\x01Ole’
A3: 3072068 ‘\x01Ole10Native’
B: xl/embeddings/oleObject2.bin
B1: 77 ‘\x01CompObj’
B2: 101 ‘\x01Ole’
B3: 3072068 ‘\x01Ole10Native’
C: xl/embeddings/oleObject3.bin
C1: 77 ‘\x01CompObj’
C2: 101 ‘\x01Ole’
C3: 3072068 ‘\x01Ole10Native’
No M, but curious how to see what this virus did…