I produced a video for my blog post “Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt“:
VBA macros inside a PowerPoint document are not stored directly inside streams, but as records in the “PowerPoint Document” stream. I have a plugin to parse the records of the “PowerPoint Document” stream, but I failed to extract the embedded, compressed OLE file with the macros. Until a recent tweet by @AngeAlbertini brought this up again. On his sample too I failed to extract the compressed OLE file, but then I remembered I had fixed a problem with zlib extraction in pdf-parser.py. Taking this code into plugin_ppt.py fixed the decompression problems.
VBA macros in a PowerPoint document do not appear directly in streams:
Plugin plugin_ppt parses records found in stream “PowerPoint Document”:
Each line represents a record, prefixed by an index generated by the plugin (to easily reference records). Records with a C indicator (like 1 and 435) contain sub-records. Records prefixed with ! contain an embedded object.
Record 441 (RT_ExternalOleObjectStg) interests us because it contains an OLE file with VBA macros.
Plugin option -s can be used to select this record:
Plugin option -a can then be used to do an hex/ascii dump:
The first four bytes are the size, and then follows the zlib compressed OLE file (as indicated by 0x78).
This OLE file can be decompressed and extracted with option -e, but pay attention to use option -q (quiet) so that oledump will only report the output of the plugin, and nothing else. This can then be piped into a second instance of oledump:
And now we can extract the VBA macros:
This new version of oledump.py includes a new plugin to extract VBA code from PowerPoint files and an update to plugin plugin_http_heuristics.
plugin_http_heuristics was updated to increase the chance of success for the XOR dictionary attack, triggered by a maldoc sample I analyzed.
Two new options were added: -e and -k.
By default, plugin_http_heuristics searchers for keywords http: and https:. Using option -e, this list is extended with keywords msxml, adodb, shell, c:\, cmd and powershell.
With option -k, the default keyword list is replaced by your own list (using , as separator). Here I look for ftp (which is not present), remark that http is no longer detected: