LinuxCommandLibrary

olevba

Extract VBA macro code from OLE files

TLDR

Analyze a file, showing both macro code and analysis results

$ olevba [path/to/file]
copy

Recursively analyze all supported files in a directory
$ olevba -r [path/to/directory]
copy

Provide a password for encrypted Microsoft Office files (may be repeated)
$ olevba [[-p|--password]] [password] [path/to/encrypted_file]
copy

Display only analysis results, without showing macro source code
$ olevba [[-a|--analysis]] [path/to/file]
copy

Display only macro source code
$ olevba [[-c|--code]] [path/to/file]
copy

Show obfuscated strings and their decoded content
$ olevba --decode [path/to/file]
copy

SYNOPSIS

olevba file [options]

PARAMETERS

file
    The path to the OLE file (e.g., a Microsoft Office document) to be analyzed.

-h, --help
    Show help message and exit.

-v, --version
    Show program's version number and exit.

-c, --code
    Display the VBA source code found. Prints the VBA source code after analysis.

-x, --extract
    Extract VBA projects to files. Extracts VBA code into separate files for more detailed review.

-d

, --dir
    Specify the output directory for extracted files (used with -x).

-s, --suspect
    Only display suspicious keywords and indicators.

-n, --no-vba
    Do not analyze VBA code. Only check for indicators of macros.

-o , --output
    Write the report to a file instead of the console.

DESCRIPTION

olevba is a command-line tool used to analyze OLE (Object Linking and Embedding) files, particularly Microsoft Office documents, to detect and extract VBA (Visual Basic for Applications) macros. It's a part of the OleTools suite, which focuses on analyzing malicious documents. Olevba is invaluable for security analysts and incident responders.

It identifies and extracts VBA code embedded within the OLE file. Olevba can also detect potential malicious indicators like suspicious keywords (e.g., AutoOpen, Shell, CreateObject), obfuscation techniques, and external references that suggest the macro might be attempting malicious actions. The tool provides various options to customize the analysis, such as ignoring specific files, displaying only suspicious code, and extracting VBA projects for further examination. It helps quickly assess the risk associated with opening unknown or untrusted Office documents.

CAVEATS

olevba relies on signatures and keyword-based detection, so sophisticated obfuscation or custom VBA code may evade detection. It's best used as part of a layered security approach, combined with other analysis techniques.

RETURN VALUES

Olevba returns 0 on success. A non-zero return value indicates an error.

MALWARE ANALYSIS

olevba is a critical tool for reverse engineering and analyzing potentially malicious documents, especially those targeting Microsoft Office users. The extracted VBA code can be further analyzed to identify malicious activities.
This includes identifying command execution, file system access, and network connections that may indicate malware activity.

HISTORY

olevba is part of the OleTools suite, developed by Philippe Lagadec. It's been actively maintained and updated to keep pace with evolving malware techniques and newer Office file formats. It became a widely adopted tool in the incident response community.

SEE ALSO

mraptor(1), olebrowse(1)

Copied to clipboard