Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: Extracting VBA Macros From .DWG Files SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Extracting VBA Macros From .DWG Files

I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros.

A .dwg file is not an OLE file, and you get a warning when you try to analyze it with oledump:

I added a new option to oledump: -f (--find). You use this option to find and select embedded OLE files inside any file.

A .dwg file with embedded VBA macros contains an OLE file. You can now search for embedded OLE files using option "-f l" (letter l, for list), like this:

From this output, we can tell that the .dwg file contains an OLE file at position 0x8090.

We can select this embedded file for analysis using option "-f 1" (number 1), like this:

And then you can just use familiar options, like -s -v, to analyze the macros.

I also produced a video on .dwg files with embedded VBA macros:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

492 Posts
ISC Handler
Dec 22nd 2019

Sign Up for Free or Log In to start participating in the conversation!