olevba - a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML)

olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, decode malware obfuscation (Hex/Base64/StrReverse/Dridex) and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, and potential IOCs (IP addresses, URLs, executable filenames, etc). It is part of the python-oletools package.

It can be used either as a command-line tool, or as a python module from your own applications.Supported formats:

  • Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
  • Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
  • PowerPoint 2007+ (.pptm, .ppsm)

olevba is based on source code from officeparser by John William Davison, with significant modifications.

Quick links: Home page - Download - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter

Main Features

  • Detect VBA macros in MS Office 97-2003 and 2007+ files
  • Extract VBA macro source code
  • Detect auto-executable macros
  • Detect suspicious VBA keywords often used by malware
  • Detect and decodes strings obfuscated with Hex/Base64/StrReverse/Dridex
  • Extract IOCs/patterns of interest such as IP addresses, URLs, e-mail addresses and executable file names
  • Scan multiple files and sample collections (wildcards, recursive)
  • Triage mode for a summary view of multiple files
  • Scan malware samples in password-protected Zip archives
  • Python API to use olevba from your applications

 

MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.

About VBA Macros

See this article for more information and technical details about VBA Macros and how they are stored in MS Office documents.

Usage, Examples, Python API

See the olevba documentation.