 Hello, I'm DDS Davens. In this video here we are going to look at the analysis of AutoCAD drawing files with embedded VBA macros. So if you run my tool only dump on an AutoCAD drawing file like this one here, you will get an error. That's because the DWG file format is a proprietary format from Autodesk and it can contain VBA macros and the way it is embedded is that those macros are stored inside an OLE file and the OLE file is embedded in the DWG file. So we can use a new option of OLE dump to find all the embedded OLE files. So option F for find and then L to have a listing of all the embedded files. And then here you see that we have one potentially embedded file at this position 80, 90, or x a day small. So once we have that information we can do the following OLE dump. So find number one. This is the first file, embedded file and only file that is embedded. So we select that in drawing to VBA. And then here you see the classic analysis, the classic output that is produced by OLE dump. And then you can just continue to work like you used to, like for example, selecting stream tree and decompressing the compressed VBA source code with option V like this. Here you see for example ARCAD document activate. This is a supreme link to an event that will execute the message box hello when the document is opened and activated in AutoCAD. Now let's take a quick look at the internals of the DWG file format. So with my tools, cut bytes, I'm just going to do a small ASCII dump of the start of such a file. So the first 64 bytes. Okay. And here you see a header, a magic sequence AC 10 and 32. This is the internal version number of this file format used for AutoCAD. So it varies this file format, but it usually starts with AC 10. And then if you go to position 24 hexadecimal, so that's here, you have a little Indian 32 bit integer. And here you can see that that value here is not zero is 8080. And this here, this gives you the position of the header of the embedded OLE file. So if you have DWG file, a drawing file from AutoCAD that contains embedded VBA macros, then you look here at this value, if it is zero, it doesn't contain macros. If it contains a value, then you have to look at that position. That's what I'm going to do here. Cut bytes again as ASCII dump. And so at position 8080. And I'm going to look at the first 256 bytes of this file here. Okay. And the first 16 bytes here are the other before the embedded OLE file. And here at this position, you have the size of the embedded OLE file. Again, a 32 bit integer little Indian. So the size here is 1C00. And then here you have the start of the OLE file itself. You can here recognize the magic sequence for an OLE file. And that is actually what my OLE dump tool does. When you use option F to find embedded files, it just looks for this magic sequence. And each time it finds it, it will list it for you. And then later on you can select it. Now one last thing. When we take a look at another DWG file, without embedded macros, like I said here, this is a zero. So there are no embedded macros here. If you run my tool on drawing two, sorry. And so I want to list all the embedded files, you see no embedded OLE files found.