maldoc_extract_macros
Extract VBA macros from OLE documents for security analysis. This tool reads Office files to retrieve embedded macro code for forensic investigation.
Instructions
Extract raw VBA macros from an OLE document.
Returns: {"macros": str, "stream_count": int, "macro_streams": [str]}.
Side effects: Read-only file analysis.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| file_path | Yes | Path to the OLE document |
Implementation Reference
- src/tools/malware.ts:131-164 (handler)The tool 'maldoc_extract_macros' is registered and implemented here, using 'olevba --decode' and 'oledump.py' to extract macros and identify macro streams.
server.tool( "maldoc_extract_macros", "Extract raw VBA macros from an OLE document.\n\nReturns: {\"macros\": str, \"stream_count\": int, \"macro_streams\": [str]}.\n\nSide effects: Read-only file analysis.", { file_path: z.string().describe("Path to the OLE document"), }, async ({ file_path }) => { const { abspath: fpath, error } = validateFile(file_path); if (error) { return { content: [{ type: "text", text: JSON.stringify({ error }) }] }; } // Full VBA extraction const res = await runShell( `olevba --decode '${fpath}' 2>/dev/null || python3 -m oletools.olevba --decode '${fpath}' 2>/dev/null || echo 'olevba not available'` ); // Count macro streams const streamsRes = await runShell( `oledump.py '${fpath}' 2>/dev/null || echo ''` ); const macroStreams = parseLines(streamsRes.stdout).filter( (line) => line.includes(" M ") || line.includes(" m ") ); const result = { macros: res.stdout.slice(0, 8000), macro_streams: macroStreams, stream_count: macroStreams.length, }; return { content: [{ type: "text", text: JSON.stringify(result) }] }; } );