Oletools
π΅οΈββοΈ HowGuide: to AnalyzeAnalyzing .docx and .xlsm Files with oletools
.docx and .xlsm Files with oletoolsπ§ 0. Install oletools (if not already)
oletools (if not already)pip install oletools
π Analyzing .docx Files (OpenXML Word Documents)
.docx Files (OpenXML Word Documents)1. Run olevba on the .docx file
olevba on the .docx fileolevba file.docx
β οΈ
πΈ.docxfilesnormallyusually do not containmacros, so this often returns "noVBAmacrosmacros.found".But it's always good to check.
2. Unzip the .docx to check for embedded objects
"""
unzip file.docx -d extracted/"""
3. Look for embedded OLE objects
Check inside:this directory:
extracted/word/embeddings/oleObject1.bin
If present, theseYou may containfind:
oleObject1.bin
filesoleObject2.bin
(some4. Analyze embedded OLE objects
olevba extracted/word/embeddings/oleObject1.bin
Repeat for any other .bin files.
5. Use oleid for file metadata overview
oleid file.docx
This gives π§ a quick summary of:
- Macros present
- External relationships
- Encryption
- Suspicious flags
π Analyzing .xlsm Files (Macro-Enabled Excel)
1. Run olevba on the file
olevba file.xlsm
This will:
- Extract all VBA macros
- Show suspicious keywords
- Show auto-executing macros
- Print the actual macro code
2. Look for these red flags
| Type | Keyword | Why it matters |
|---|---|---|
AutoExec |
Workbook_Open, Auto_Open |
Executes macro automatically on open |
Suspicious |
Shell, CreateObject, WScript.Shell |
Can run system commands |
IOC |
http, .exe, powershell, registry edits |
Potential malware payloads |
Obfuscation |
Chr, Base64, StrReverse, Split |
Used to hide real behavior |
3. Extract VBA code,code suspiciousto keywords,a file (optional)
olevba file.xlsm > macro_output.txt
4. Use oleid for metadata
oleid file.xlsm
β Key Indicators to Watch
| Category | Example | Why Itβs Suspicious |
|---|---|---|
| AutoExec | Auto_Open, Workbook_Open |
Runs automatically |
| Command Exec | Shell, powershell, cmd |
System command execution |
| Obfuscation | Chr(72) & Chr(84), Base64 |
Payload hiding |
| Downloader | URLDownloadToFile, XMLHTTP |
Drops additional malware |
| Persistence | Registry writes, Startup |
Foothold creation |
| Encoding | Long strings, encoded blobs | Shellcode or encoded scripts |
π§Ύ Quick Command List (Cheat Sheet)
# General analysis
olevba file.xlsm
olevba file.docx
# Extract and auto-execution triggers.
5. Use oleid for high-level metadata
oleid file.docx
Helps you quickly see:
Is the file encrypted?
Are macros present?
External relationships?
Suspicious flags?
Tools in oletools
Tools to analyze malicious documents
oleid: analyzes OLE files to detect specific characteristics usually found in malicious files.
olevba: extracts and analyzes VBA macro source code from MS Office documents (OLE and Open XML).
MacroRaptor: detects malicious VBA Macros. (mraptor -m <file> for strings)
msodde: detects and extracts DDE/DDEAUTO links from MS Office documents, RTF and CSV.
pyxswf: detects, extracts, and analyzes Flash objects (SWF) that may be embedded in files such as MS Office documents and RTF, which is especially useful for malware analysis.
oleobj: extracts embedded objects
fromunzip OLEfile.docx files.rtfobj:extracted/
extractsolevba extracted/word/embeddings/oleObject1.bin
# Inspect file metadata
oleid file.xlsm
oleid file.docx
# Save macro code to a text file
olevba file.xlsm > macros.txt
# Identify embedded objects
fromls RTFextracted/word/embeddings/
files.file extracted/word/embeddings/oleObject1.bin
π§ Pro Tips
- Use
olevbawith caution on unknown files β always analyze in a VM/sandbox. - Combine
olevbawithstrings,file, orhexdumpfor deeper inspection. - Copy suspicious VBA code for manual review or deobfuscation if needed.
- Use
oleidfirst for a fast overview before diving into macro code.
Tools to analyze the structure of OLE files
olebrowse: a simple GUI to browse OLE files (e.g. MS Word, Excel, PowerPoint documents), allowing you to view and extract individual data streams.olemeta: extracts all standard properties (metadata) from OLE files.oletimes: extracts creation and modification timestamps of all streams and storages.oledir: displays all the directory entries of an OLE file, including free and orphaned entries.olemap: displays a map of all the sectors in an OLE file.
π΅οΈββοΈ