document.xmlwhich is where the main document body text goes and
vbaProject.bincontaining the evil macros themselves:
vbaProject.binthrough it. This can sometimes give you as defender enough to determine if the document is suspicious/malicious.
hexdump -C vbaProject.binreveals some fragmented keywords that should immediately raise your suspicion - Shell, Hide, Sub_Open and something that looks like a file path:
olevba.py filename.dotm. As seen below, the command nicely decodes the
vbaProject.binand reveals the actual code as well as provides some interpretation of the commands found in the script: