VBA macros inside a PowerPoint document are not stored directly inside streams, but as records in the “PowerPoint Document” stream. I have a plugin to parse the records of the “PowerPoint Document” stream, but I failed to extract the embedded, compressed OLE file with the macros. Until a recent tweet by @AngeAlbertini brought this up again. On his sample too I failed to extract the compressed OLE file, but then I remembered I had fixed a problem with zlib extraction in pdf-parser.py. Taking this code into plugin_ppt.py fixed the decompression problems.
VBA macros in a PowerPoint document do not appear directly in streams:
Plugin plugin_ppt parses records found in stream “PowerPoint Document”:
Each line represents a record, prefixed by an index generated by the plugin (to easily reference records). Records with a C indicator (like 1 and 435) contain sub-records. Records prefixed with ! contain an embedded object.
Record 441 (RT_ExternalOleObjectStg) interests us because it contains an OLE file with VBA macros.
Plugin option -s can be used to select this record:
Plugin option -a can then be used to do an hex/ascii dump:
The first four bytes are the size, and then follows the zlib compressed OLE file (as indicated by 0x78).
This OLE file can be decompressed and extracted with option -e, but pay attention to use option -q (quiet) so that oledump will only report the output of the plugin, and nothing else. This can then be piped into a second instance of oledump:
And now we can extract the VBA macros:
oledump_V0_0_38.zip (https)
MD5: C1D7F71A390497A516F67D798BA25128
SHA256: 4CADEE69D024E9242CDA0CE3A9C22BCB1CAFF9D5BA2D946519C6B7C18F895B81
[…] Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt […]
Pingback by Overview of Content Published in October | Didier Stevens — Friday 2 November 2018 @ 0:00
[…] I produced a video for my blog post “Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt“: […]
Pingback by Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt | Didier Stevens — Wednesday 14 November 2018 @ 0:00
[…] Blog post: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt […]
Pingback by oledump: plugin_ppt – Didier Stevens Videos — Monday 31 December 2018 @ 17:21