Note: jshlbrd also has a pull request for a module that does VBA extraction. My module in addition does file extraction (explode) and metadata for forms. Otherwise, they are similar.
explode_vba.py is a scanning module to explode the VBA inside objects. It uses olevba from decalage's oletools to perform the object extraction.
Quick note: Olevba has some object explosion built into the code. For example, it can look inside DOCX files for VBA. I tried to stay away from explosions done inside the decalage code and instead rely on Laika BOSS for explosion. To continue with the previous example, Laika BOSS will explode the ZIP and then this module will pick up the compressed VBA object and extract the macro from it.
Input are OLE document files and output is metadata and extracted objects. Most supported formats listed at https://bitbucket.org/decalage/oletools/wiki/olevba which use olevba's VBA_Parser module willw work as long as it is also configured in dispatch.yara
Here are my notes added to decalage's "Supported formats"
Word 97-2003 (.doc, .dot) -> Will work
Word 2007+ (.docm, .dotm) -> Note: Will rely on Laika BOSS explosion of ZIP
Word 2003 XML (.xml) -> Will work
Word/Excel MHTML, aka Single File Web Page (.mht) -> Will work.
Excel 97-2003 (.xls) -> Will work
Excel 2007+ (.xlsm, .xlsb) -> Should work and needs to be tested.
PowerPoint 2007+ (.pptm, .ppsm) -> Note: Not currently supported. Will most likely need to be a seperate Laika BOSS module.
Text file containing VBA or VBScript source code -> Should work and needs to be tested. Needs dispatch.yara addition to run EXPLODE_VBA against all files since txt files have no file magic to key on.
Output: Extracted and decompressed VBA objects (macro and forms). Module also adds basic metadata about the object when possible.
Below I use a Office 2007 Word sample (zip). I run olevba against the file which uses its native exploding code and shows that there are macros and forms. I then show the scan output from EXPLODE_VBA which shows the collected metadata. This is followed by examples of the actual extracted files.
By running the EXPLODE_VBA module in conjuction with EXPLODE_ZIP and EXPLODE_OLE, the macros are successfully extracted.
Note: jshlbrd also has a pull request for a module that does VBA extraction. My module in addition does file extraction (explode) and metadata for forms. Otherwise, they are similar.
explode_vba.py is a scanning module to explode the VBA inside objects. It uses olevba from decalage's oletools to perform the object extraction.
Quick note: Olevba has some object explosion built into the code. For example, it can look inside DOCX files for VBA. I tried to stay away from explosions done inside the decalage code and instead rely on Laika BOSS for explosion. To continue with the previous example, Laika BOSS will explode the ZIP and then this module will pick up the compressed VBA object and extract the macro from it.
Input are OLE document files and output is metadata and extracted objects. Most supported formats listed at https://bitbucket.org/decalage/oletools/wiki/olevba which use olevba's VBA_Parser module willw work as long as it is also configured in dispatch.yara
Here are my notes added to decalage's "Supported formats"
Output: Extracted and decompressed VBA objects (macro and forms). Module also adds basic metadata about the object when possible.
Below I use a Office 2007 Word sample (zip). I run olevba against the file which uses its native exploding code and shows that there are macros and forms. I then show the scan output from EXPLODE_VBA which shows the collected metadata. This is followed by examples of the actual extracted files.
By running the EXPLODE_VBA module in conjuction with EXPLODE_ZIP and EXPLODE_OLE, the macros are successfully extracted.
-> Metadata collected from Module
-> Showing the files exploded and their filenames
Dispatch.yara change to make this module run against OLEs, Word2003 XML, and MHTML.