 Hello, I'm BDS Tevens. In this video, I want to show you how you can analyze with my HolyDump tool PowerPoint files PowerPoint files that contain VBA macro. The difference Let's do a HolyDump of a Word document with micro files When you do that, here you get a stream for the Word document and here you have all the streams with the macros Now here I also have a PowerPoint document and was sent to me by Angel Bertini and Here that PowerPoint document also contains macros, but you don't see a macros stream So you see the PowerPoint document stream, but no no macros streams The thing is that the macros are inside an OLE document that is inside the PowerPoint document In that stream PowerPoint document, it's a bit like Excel streams with the BIFF So a PowerPoint document contains a lot of records and You can parse these records with the plugin that I have now and That's the PowerPoint plugin PPT plugin and when you run that plugin It will parse for you all the records So let's pipe this through more and you can see here all the records You have an index that I add and then the code for the record and then the type of record and see here that Indicates you that this is a container record Okay And then here at the end my record 441441 you can see an exclamation mark this is a Record that contains another content. So here it contains an OLE file So we can actually select that record and We have to do that with the plugin options because it's the plugin Who is going to select that record? So we have to take the plugin options option and Then say that we want to select a record 441 And this has to be put in a side quote here because this is one string One argument that we want to pass into one value that we want to pass on to plug-in options Okay, like this We can also do an X ASCII dump with option A and I'm going to take the head Like this And here you can see This string here 7a5c This means that this stream here, sorry this record the data in the record Contains gzip compressed data. So we can decompress that We can decompress that by saying e extract option e will extract the content and That's what we get here If we go back to the beginning, so let's try to do this differently By this true more Okay So now you can see here the zero CF 11 E zero and so on so this is a doc file and OLE file So this is the OLE file. We want to analyze And we can extract this here. It's explained here We have to use option Q to dump the following data Hmm. So what what the plug-in does? it will extract the data and Put this inside the OLE dump output, but we only want this here this binary data So with option Q we can tell OLE dump not to output all of this other information about the stream say Q stands for quite So like this if you say Q quite you only get the output from the plug-in and nothing more And here this plug-in we tell it. Okay, select record 4 4 1 and extract the content decompress it So that gives her indeed here our file and This is an OLE file. So we can just the pipe this again into OLE dump And now you can see the macros here in stream 3 that contains the macros so I can select stream 3 and decompress it So this is how you can analyze macros VBA macros inside PowerPoint documents So you have to look with a plug-in for PowerPoint into the PowerPoint document and identify records that can contain OLE files and then you have to extract the content of those OLE records and parse that again with OLE dump