document.xml
which is where the main document body text goes and vbaProject.bin
containing the evil macros themselves:document.xml
, we can see the body copy we inputted at the very begging of this page in the Weaponization section:vbaProject.bin
through it. This can sometimes give you as defender enough to determine if the document is suspicious/malicious. hexdump -C vbaProject.bin
reveals some fragmented keywords that should immediately raise your suspicion - Shell, Hide, Sub_Open and something that looks like a file path:olevba.py filename.dotm
. As seen below, the command nicely decodes the vbaProject.bin
and reveals the actual code as well as provides some interpretation of the commands found in the script: