olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, decode malware obfuscation (Hex/Base64/StrReverse/Dridex) and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, and potential IOCs (IP addresses, URLs, executable filenames, etc). It is part of the python-oletools package.
It can be used either as a command-line tool, or as a python module from your own applications.Supported formats:
olevba is based on source code from officeparser by John William Davison, with significant modifications.
MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.
See this article for more information and technical details about VBA Macros and how they are stored in MS Office documents.
See the olevba documentation.