Excel 4 Macros – Get.Workspace Reference

With the recent resurgence of the use of Excel 4 macros in malicious excel documents, I’ve found myself scouring the internet looking for language references. One such function that was particularly difficult to find documentation for was Get.Workspace, which takes a integer value as an argument and returns information about the environment. Since it appears that it is all but impossible to find Excel 4 macro documentation from Microsoft, I thought I’d create a few posts in the hopes of the content getting indexed and thus easier to find. The source of this information came from this PDF, which used…

Read more

Removing Passwords from VBA Projects

Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros, the password protection is typically encountered when accessing the project through the Office/VBA IDE (which I typically use for dynamic analysis). This happens rare enough that I often forget the steps of removing the password so thought I’d start collecting possible solutions. Word – 2007+ Sample MD5: dc989fa836fa93fe1f158fa490382686Any.Run: https://app.any.run/tasks/dd8ae979-4afc-44ac-99d2-3b57f9d6e2b1Hybrid-Analysis: https://www.hybrid-analysis.com/sample/4bb275b253db05bfa23a677d3db8f78cef0d633bbef19d05e37780f61577153c?environmentId=100 With this type of document, you can rename the original file with a .zip extension, this will allow you to explore the contents. This type of file uses the…

Read more