SANS Digital Forensics and Incident Response Blog: Daily Archives: Nov 23, 2009

Extracting VB Macro Code from Malicious MS Office Documents

An incident responder or forensic investigator should be prepared to examine potentially-malicious document files, which may be located on the compromised system or discovered in email, web, or other network streams. After all, embedding malicious code into documents, such as Excel spreadsheets or Adobe Acrobat PDF files is quite effective at bypassing perimeter defenses. This note deals with one such scenario, focusing on how to extract Visual Basic (VB) macro code that may be embedded in malicious Microsoft Office files. I will discuss how to extract macros from both legacy binary Office files (.doc, .xls, .ppt), as well as modern XML-based Office formats that support macros (such as .docm, .xlsm, .pptm). As you'll see, OfficeMalScanner will be my tool of choice for getting the job

...