Office Files
Office documents (like .doc, .docx, .xls, .ppt, etc.) often contain embedded macros, metadata, or hidden objects that may store flags or malicious code.
In CTF challenges, analyzing these files can reveal hidden strings, encoded data, or VBA macros.
- Extract macros:
olevba sample.doc - Extract metadata:
olemeta sample.doc - List OLE streams:
oledir sample.doc
| Tool | Purpose |
|---|---|
| oletools | Analyze OLE and OOXML files |
olevba / olevba3 |
Extract VBA macros from Office documents |
oledir |
List all streams and storages inside OLE files |
olemeta |
Extract metadata |
To extract VBA macros from Office documents:
olevba sample.doc
Look for:
- Encoded strings or obfuscated code
- Auto-executing macros (e.g.,
AutoOpen,Document_Open) - Suspicious commands like Shell, CreateObject, or Base64Decode
Example output:
$ olevba suspicious.doc
+-----------+--------------------+-----------------------------------------+
| Type | Keyword | Description |
+-----------+--------------------+-----------------------------------------+
| AutoExec | AutoOpen | Runs when the document is opened |
| Suspicious| CreateObject | May create external COM objects |
| Suspicious| Shell | Executes command-line instructions |
+-----------+--------------------+-----------------------------------------+
Modern Office files (e.g., .docx, .xlsx) are ZIP archives containing XML data.
Inspect their contents using standard tools:
unzip sample.docx -d output/
7z x sample.docx
Look inside the extracted directories for:
word/document.xml— contains the main textword/vbaProject.bin— stores VBA macrosdocProps/core.xml— contains metadata (author, timestamps)
You can analyze vbaProject.bin separately with olevba:
olevba output/word/vbaProject.bin