 I'm working on a new program, OleDump, and I use it to extract data from Microsoft Office files. Since I tweeted about it, several people have expressed interest in having a go at it, so that's why I'm making this quick video and making the better of my program available. So, OleDump, and you pass it, for example, an Excel file with VBA, and OleDump will then print all the streams that it finds in the Ole file. So, the streams are numbered, so that you can select them from 1 to 10 here. Here the status M indicates that those streams contain macros. This is the size of each stream, and this is the name of a stream. So, I can select stream 7 here, which contains macros. Okay, and then you get an ASCII dump, if you do this. You can also do an xdump with x, dump the files, the content, like this. Now, let's go back to the ASCII dump here. Okay, you can see this 01 here. This is the beginning of the compressed VBA macros. So, normally VBA macros stored in Office files like Excel, they are compressed with a special algorithm, and I wrote the compressor in Python for this compressed data. So, you have here one that indicates the start of compressed data. These two bytes here, they indicate the size of the compressed data, and also a flag here, the B, a flag that tells it if the file, sorry, the data is compressed or not. So, here it is compressed. And then, following that, you have chunks of compressed data. And each chunk starts with a status byte, and the status byte, every bit tells it if the next couple of bytes have to be taken literally, or if they reference other bytes. So, 00 here tells us that all the bytes have to taken literally. So, the eight following bytes here have to be taken literally. And that is a trip, you see. Then, 0 again, all the others. That's eVB underscore num, and then we are here, and so on. And that is how you can decompress the data. And that is what I did in my program. So, if you take option minus V, it will extract the VBA macro like this. Now, I've also noticed that my program, Olly Dump, not only works on VBA macros, but also protected macros. So, those are protected by password. Like this here, you can see the streams, and here stream seven contains macros. So, let's have a look. Stream seven, V. And you can see that you can see the content of the module, even if it is password protected. Now, you might ask, I wonder why I'm still developing programs for such an old file format. But the thing is that this file format is still used in the new offices file formats. So, here we have several test files, and one of them here is a new file format, XLSM. And you know that this file format is actually a compressed zip file. So, I'm going to have a look inside with my Zimtump utility. Okay. And here you can see the different files inside the zip file. That is actually the new file format for Office. So, most of the time, it is XML files that you find. But if there are macros inside, you will find VBA micro.bin as a file. And this file still uses the only file format. So, it is not XML. It is the new, the old, sorry, only file format. Let me select that file. So, that's annex.vbaproject.bin. Okay. So, that's the file. I'm going to dump it. Well, first of all, now, let's have a look at an ASCII dump. Okay. ASCII dump, here you can see doc file. So, this is the magic string, the magic byte sequence for an only file. So, I can extract this file. I can dump it. And then, pass it on to my new only dump tool. Okay. And now, you can see the streams inside this. And there are some VBA streams, like this module one with macros. So, we can select stream three and view the macros. Like this, stream five, sorry, stream five. And that's the other macros sheet included. So, even in the new file formats, the old file format is still used for macros. Now, that is macros. What my tool can also do is look at embedded files. So, here I have an Excel file with a small embedded text file. And if you do this, you will see a file, which is byte 01, only 10 native. And that is actually the embedded file. If you look for that string, then you will find embedded files in your office documents. So, I can select this stream, like this. So, and the first four bytes here indicate the size of the stream. Then you have two zero, meaning unknown. Then you have the file name, terminated by zero. The file part, terminated by zero. Again, some of flags. Here, size of the next string, but the string is also terminated by zero. This string is a full part, a temporary part. And then here, a 0 0 0, you have the size of the embedded content. And here, 1 2 3 4 5 6 7 8 9, that is the embedded file. And then again, some file names. So, that's the structure of an embedded file in a no-list stream here. And if you select this, you can look at the info with option I. And now you can clearly see the names, test.txt, comes from the test, from the demo directory, and will be temporarily stored in this file. And it contains 10 bytes. You can extract the file itself, like this, and this is the file. Now, this is a simple text file, but I also have this for an executable. This one here, and here again, you can see 0 1, only then native with another prefix, and a rather large size, 58,000 bytes. Now, I can select this stream 5, and then it will be dumped. So, let's take the 21st lines like this, and you can see here the mz, that indicates that it is an adult file, and then here, the typical string that is found in executables. So, this is the executable. We can look at the information, like this, and then of course extract it. And then you can direct it to a file, like this, or pipe it into another command, so that you don't have to touch the disk, and let it do with PE check. Okay, and you can indeed see that it is an executable, because PE check is able to pass the file. You have the entropy, the hashes, and then here, the different sections you can find, and then all the data that PE check shows you. Okay, so that was a quick overview of my new tool I'm working on, Olidump.