Oletools

pip install oletools

olevba file.docx

🔸 .docx files normally do not contain macros, so this often returns "no VBA macros found".

2. Unzip the .docx to check for embedded objects

unzip file.docx -d extracted/

3. Look for embedded OLE objects

Check inside:

extracted/word/embeddings/oleObject1.bin

If present, these may contain embedded files (some of them malicious).
4. Analyze embedded OLE objects

olevba extracted/word/embeddings/oleObject1.bin

🧠 Look for VBA code, suspicious keywords, and auto-execution triggers.

5. Use oleid for high-level metadata

oleid file.docx

Helps you quickly see:

Is the file encrypted?

Are macros present?

External relationships?

Suspicious flags?

Tools in oletools

Tools to analyze malicious documents

oleid: analyzes OLE files to detect specific characteristics usually found in malicious files.
olevba: extracts and analyzes VBA macro source code from MS Office documents (OLE and Open XML).
MacroRaptor: detects malicious VBA Macros. (mraptor -m <file> for strings)
msodde: detects and extracts DDE/DDEAUTO links from MS Office documents, RTF and CSV.
pyxswf: detects, extracts, and analyzes Flash objects (SWF) that may be embedded in files such as MS Office documents and RTF, which is especially useful for malware analysis.
oleobj: extracts embedded objects from OLE files.
rtfobj: extracts embedded objects from RTF files.

Tools to analyze the structure of OLE files

olebrowse: a simple GUI to browse OLE files (e.g. MS Word, Excel, PowerPoint documents), allowing you to view and extract individual data streams.
olemeta: extracts all standard properties (metadata) from OLE files.
oletimes: extracts creation and modification timestamps of all streams and storages.
oledir: displays all the directory entries of an OLE file, including free and orphaned entries.
olemap: displays a map of all the sectors in an OLE file.

🕵️‍♂️