Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New oledump.py plugin: plugin_version_vba

Published: 2019-12-23
Last Updated: 2019-12-23 17:43:57 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In diary entry "VBA Office Document: Which Version?", I explain how to identify the Office version that was used to create a document with VBA macros.

I have now an oledump.py plugin (plugin_version_vba) that automates this task:

In this example, the version number is 00AF, and that corresponds to Office 2016 or 2019 32-bit.

If the version number is not known, like with this AutoCAD .dwg file, you'll get a question mark:

The version number is 009A, but that does not correspond to an Office version I know.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: oledump vba version
0 comment(s)
Diary Archives