Microsoft Access files (Microsoft Office’s Database) can contain VBA code.<\/p>\n
But they are not ole or OOXML files. You can’t analyze them with oledump.py<\/a>:<\/p>\n Neither do they contain an embedded OLE file:<\/p>\n Microsoft does not publish official documentation for the Microsoft Access file format, like it does for CFB (ole) and OOXML.<\/p>\n That inspired me to add support for VBA compression to my search-for-compression.py<\/a> tool.<\/p>\n search-for-compression.py is a tool that searches through binary files, looking for data that is ZLIB compressed. I’ve now added the option to search for compressed VBA code too. That is done with option -t:<\/p>\n There are 3 entries. The first 2 decompress to binary data (01 00 04 …). These are similar to dir streams in ole files. dir\u00a0streams specify VBA project properties, project references, and module properties. They can be dumped:<\/p>\n The 3th one starts with ASCII data (Attritut). This is VBA code that can be selected and dumped:<\/p>\n This example is simple, because it’s just an empty database that I created for this diary entry.<\/p>\n Real samples are a bit more complex. I’ll cover some examples in an upcoming diary entry.<\/p>\n \u00a0<\/p>\n Didier Stevens (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260525-151257.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260525-152941.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260525-155505.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260525-161133.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/20260525-155904.png?ssl=1\")
<\/p>\n
\nSenior handler
\nblog.DidierStevens.com<\/a><\/p>\n
\n
<\/BR><\/p>\n