Didier Stevens

Sunday 15 November 2020

oledump Indicators

Filed under: maldoc,My Software — Didier Stevens @ 13:51

Each stream and storage can have an indicator in oledump.py‘s output:

You’ll probably know M and m: they are indicators that appear often.

Here is an overview of all possible indicators:

  • M: Macro (attributes and code)
  • m: macro (attributes without code)
  • E: Error (code that throws an error when decompressed)
  • !: Unusual macro (code without attributes)
  • O: object (embedded file)
  • .: storage
  • R: root entry


Update: oledump.py Version 0.0.55

Filed under: My Software,Update — Didier Stevens @ 13:49

This new version of oledump.py brings extra JSON support and a new indicator.

Existing option -j (–jsonoutput) produces JSON output: a JSON object with the content of each individual stream (BASE64 encoded).

This option (-j) can now be used together with option -v (–vbadecompress) to produce a JSON object with the VBA code (BASE64 encoded) of each VBA module stream.

And there is a new indicator (!) :

This indicator is used for VBA module streams for which oledump is not able to recognize “normal” VBA source code (e.g. starting with something else than attributes). Here is an example of a sample that would cause this ! indicator to appear: AV Cleaned Maldoc.

oledump_V0_0_55.zip (https)
MD5: 499B66DC3BAF86BDA4BC0370E3C18A1A
SHA256: ABEABFF0F1F5AA2239AFCDE73A676D4E8D9BA2F82C03B8663FFAB6F8D3A360E7

Blog at WordPress.com.