 Hello, Didier Stevens here, Senior Handler at the Internet Storm Center. I did create a sheet sheet for Sans for my Oli Dump tool. So if you go here over to the ultimate list of Sans sheet sheets, and you scroll down into Digital Forensics and Incident Response, you can find here my Oli Dump quick reference. And here is the PDF, two pages. Right here a bit of explanations, the different options and examples of output. Now my Oli Dump tool is a command line tool written in Python. So you run it like this. And to get help, use option H. As is explained here, help page. Now this gives you an overview of all the options with a short description. But I also have a month page into this tool. That is option M, the manual. And that is something different. So option M, and let me pipe this through more. First you get the help. And after the help you get the manual, where I've written different things that you can do with my Oli Dump tool, how it works and different examples. Now if I run Oli Dump on a spreadsheet with macros, I get output like this. This is here, explained in this sheet sheet, in this part here, the output. Now first of all, I want to encourage you to always use option I, lowercase I. You can see this here, additional info for item, lowercase I, and here the recommendation to use this for the first analysis. Why is that? If you do that, then an extra column with information will be added. We see here an extra column with only two entries for 7 and 8. And these are streams that contain macros. And this here gives you the size of the compiled macro and the size of the compressed VBI source code. So the presence of a line here in this column is a sur indication that you are dealing with the stream that contains macros. Another indicator here is M and M, as is explained here, the different indicators. So an uppercase M or lowercase M indicates that there are macros inside this stream and that you can extract and visualize those macros. So this is in stream 7 and stream 8. So I run Oli Dump and I select stream 7 for the example here. This will do by default an exadismal ASCII dump of the content of that stream. That is explained here with S you select and then you can use various options for dumping if like a hex dump, a binary dump, ASCII dump. If you don't provide any of those options, then by default it is an ASCII dump. Now for macros themselves, what you actually want to do is decompress the compressed source code. This is explained here, option V decompress VBA. And then you get to see the source code. So you see here an empty function subdemo and sub. This here is source code to attribute values, but this is source code that is hidden in the editor. So if you open this spreadsheet with VBA code in office and you start the IDE for VBA, you will only see subdemo and unsub. These attributes are not displayed as text. You will not see them. You can only see them by looking at some options like the name of the stream here. Now this also explains the difference between uppercase and lowercase m. So remember stream 8 that was a lowercase m. If we look at that, we only have attributes, no actual code. So that happens too that you can have streams without any code that a personal programmer entered, only the attributes. And that explains the difference between uppercase and lowercase m. Now if the document has been tampered with, for example stomping, it could be that those attributes are gone, that you don't have any of these attributes. And in that case, I will display an exclamation mark. Now about these indicators here, I also have a blog post that explains these indicators and a video. I will link to this video here. You can also choose to get all the macros, select all the streams and decompress like this and you see then that you have both streams. Now going back to the sheet sheet, here you have the different options and many I talked about. By the way, not all options are here in the sheet sheet. It's a condensed sheet sheet. If you want to see all the options, get the help page, look at the manual. And then here there are a couple of examples like I gave them here. And then also all the different plugins that I have. Now here this list of plugins is just an alphabetical list. So it is not in order of importance or frequency of use, it's just an alphabetical list.