Since last week we see XML documents being spammed: they are actually Microsoft Word documents with VBA Macros.
I wrote an ISC Diary entry (I’m a SANS ISC Handler now) detailing the internals of these XML files.
oledump is updated to parse these XML documents.
oledump_V0_0_11.zip (https)
MD5: 02AEF764545213E1B1A5895AD0706F78
SHA256: 162EE94B1A4533956EE2CE0CB13ECDF2FF6C18A0597685E690B8524526FD694E
Didier Stevens 