 Hello, Didier Stavens here, Senior Handler with the Internet Stomp Center. I'm going to show you the different indicators you can have with my Ole Dump tool. So if you run Ole Dump on an example with VBA code, like this, in this column here you can have and have indicators and we are going to review the different indicators that you can see with Ole Dump. So you have an M, M indicates macro, uppercase M means macros with actual code, so not only attributes, while lowercase M means only attributes. Let's look at the difference. So I select stream 7, well, let's start with stream 8, lowercase M. And as you can see here, the VBA code is only attributes, while when I select stream 7, then I actually have some code. So that's the difference between lowercase M and uppercase M. By default, Ole Dump will only show you the streams inside an ole file. You can also see the storages. So storages are like folders by using option storages. And then here you see the root entry, uppercase R. That's the storage, the root entry storage. And then you have the VBA project cure and the VBA storage. Those are both storages indicated with a dot. You can have an E indicator, uppercase E tells you that it contains VBA code, but that there was an error when Ole Dump tried to decompress it. So if I select stream 7 and decompress it, I get an error. You can still try to see the code, decompressed code until the error happens by using option VBA decompress corrupt, because this is an indication of corruption. And then as you can see, you see VBA code until a certain point where the corruption happens. You can have embedded code inside a document, so an embedded file that is with indicator O for object. So if I select that object and ask for information, you can see here that it is a PE file that is embedded inside that document. And then finally here, exclamation mark. Again, this is VBA code, but VBA code that has been tampered with stomp, for example. If you select stream 7, do decompression. You get error unable to decompress. So in this case, what you have to do is select the source code. So 7S, S stands for source code, and then decompress. And then you get an ex-asky dump of the decompressed code. And of course, you can do binary dump. And then you can see here the code. And we have that warning, because this is not normal code. You have no attributes, I tampered with the attributes here. Not the way to tamper would be to remove everything or put in random bytes. So these are the indicators that you can encounter with OliDump. And I also have a blog post with an overview of the indicators. Here is the list.