Day 8 - Oledump

Writer: Vesa Vertainen, Project Engineer, JAMK University of Applied Sciences

On day 2 of the CinCan Christmas calendar, we talked about the PDF-parser tool by Didier Stevens. Today we introduce another fine tool from his collection: oledump. With oledump you can analyze OLE files, such as Microsoft Word and Excel documents. These documents contain data streams that can be analyzed.

In our example case, we have testfile.docm in the current folder. Let’s see what we can find using our cincan/oledump Docker container:

$ docker run --rm -v $(pwd):/data cincan/oledump /data/testfile.docm

pic1

A simple analysis without arguments shows, that there are five streams in the document. Now, we can analyze further, and see what can be found in stream 3 (option -s 3), which seems to contain Visual Basic code:

$ docker run --rm -v $(pwd):/data cincan/oledump /data/testfile.docm -s 3

pic2

The output above shows only the beginning of a very long stream. To make it easier to find something notable, we can add the -S option, which performs a strings dump.

The previous commands could have been run more easily using the cincan command line tool. This time, instead of running with docker, we run oledump using the cincan tool. :

pic3

And that’s it, the strings dump of stream three, shows us a VBA macro designed to launch an executable.

The cincan/oledump -tool, and many other tools are free to download at the CinCan’s Gitlab repository, and the Docker hub. To learn more about Didier Stevens’ tools, visit blog.didierstevens.com/programs/oledump.py/.