[Multi-OLE](/forums/diary/MultiOLE/31580/)==========================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31580 ‘Share on Facebook’)* [](http://twitter.com/share?text=Multi-OLE&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31580&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-01-12. **Last Updated** : 2025-01-12 11:44:08 UTC **by** [Didier Stevens](/handler_list.html#didier-stevens) (Version: 1) [0 comment(s)](/diary/MultiOLE/31580/#comments) VBA macros and embedded files/objects are stored as [OLE](https://en.wikipedia.org/wiki/Compound_File_Binary_Format) files inside [OOXML](https://en.wikipedia.org/wiki/Office_Open_XML) files.You can have .docm files with many OLE files, like [this one](https://www.virustotal.com/gui/file/a21e7b25ffe1aa4c4b30d538f71dac5fabfeda74740cb0814569fbcc1e8d9b82), analyzed with [zipdump.py](https://github.com/DidierStevens/DidierStevensSuite/blob/master/zipdump.py):If you analyze this with [oledump.py](https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py), each OLE file inside the ZIP container will get its own letter prefix:Use this letter prefix to select the correct stream, like this for the VBA code stream:If it’s the first OLE file (prefix A) you want to analyze with oledump.py, it’s actually not necessary to include the letter:But the letter is required for any other OLE file:Although it is not case-sensitive:Didier Stevens Senior handler [blog.DidierStevens.com](http://blog.DidierStevens.com) Keywords:[0 comment(s)](/diary/MultiOLE/31580/#comments)
Related Tags:
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: SANS Internet Storm Center
Associated Indicators: