# oledump.py
# Analyze OLE2 files (Office documents), extract streams and VBA macros
# FOR610 Labs: 3.3, 3.4, 4.5 | Sections: 3, 4 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office

% office, vba, macro, ole, didier-stevens

# Basic usage
oledump.py document.docm

# Select specific item
oledump.py document.docm -s A3 -v

# Alternative usage
oledump.py document.docm -i


# --- Recipes (multi-tool chains) ---

# >> Extract Base64 PowerShell from Office Macro
# List streams — find macro (M) and data streams
oledump.py <document>
# Extract VBA source to understand what the macro does
oledump.py <document> -s <macro_stream> -v
# Scan data stream for Base64 strings
oledump.py <document> -s <data_stream> -d | base64dump.py -n 10
# Decode the longest Base64 hit to file
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1

# >> Decode VBA Number Arrays to Strings
# Extract VBA and convert number sequences to text
oledump.py <document> -s <stream> -v | numbers-to-string.py -j
# Same but with line-break formatting for readability
oledump.py <document> -s <stream> -v | numbers-to-string.py -j | sed 's/;/;\n/g'

# >> Full Office Macro Decode Chain
# Step 1: List streams and extract VBA
oledump.py <document>
oledump.py <document> -s <macro_stream> -v
# Step 2: Extract Base64 from data stream
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
# Step 3: Decode second Base64 layer + decompress
base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
# Step 4: XOR decode the shellcode
base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
# Step 5: Emulate the shellcode
scdbgc /f shellcode.bin /s -1