olevba - a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML)

olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, decode malware obfuscation (Hex/Base64/StrReverse/Dridex) and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, and potential IOCs (IP addresses, URLs, executable filenames, etc). It is part of the python-oletools package.

It can be used either as a command-line tool, or as a python module from your own applications.Supported formats:

olevba is based on source code from officeparser by John William Davison, with significant modifications.

Quick links: Home page - Download - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter

Main Features

 

MS Office files encrypted with a password are also supported, because VBA macro code is never encrypted, only the content of the document.

About VBA Macros

See this article for more information and technical details about VBA Macros and how they are stored in MS Office documents.

Usage, Examples, Python API

See the olevba documentation.