Office Macros

Office Open XML documents is used by softwares of the Microsoft Office Suite, including Word and Excel.

Oledump.py

Using oledump.py on a .xlsm file will decompose it in several streams (named from A to A15). As we can see in the screenshot below, the A3 stream contains a VBA macro.

Olevba

The string/hex dump of the aforementionned stream could be done manually through oledump commands, but for simplicity and formatting's sake, I use the olevba tool. It will automatically extract and display an .xlsm's file macros, all while neatly pointing any suspicious IOC ;