In this video, we’ll look into installing OLEDUMP in Microsoft Windows. Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes, are commonly referred to as maldocs. While there has been a variety of ways in which they have been used, one of the more prevalent is through the use of macros. Macros are written in Visual Basic for Applications (VBA), which is well documented on the Microsoft Developer Network (MSDN). This API allows malware authors to hook into life-cycle events of a document, such as AutoOpen, AutoClose and AutoExit (MSDN) in order to achieve code execution with minimal interaction from the user. While there are a variety of security protections now offered through the office suite, maldocs continue to plague both enterprise and home users.
Oledump is a python-based set of scripts used to investigate OLE files. These files contain streams of data, to include macro content. OLE files typically include Office documents, such as: doc, xls and ppt. If you are looking for a quick way to get started with Oledump, consider using REMnux instead. However, you may find working with Oledump in Windows easier to integrate with your analysis workflow (i.e. you’re already working in Windows) and, at times, there are some features that I’ve found to only work in Windows. In any case, this video will get you up and running quickly!