Last Updated: 2019-12-22 11:01:04 UTC
by Didier Stevens (Version: 1)
A .dwg file is not an OLE file, and you get a warning when you try to analyze it with oledump:
I added a new option to oledump: -f (--find). You use this option to find and select embedded OLE files inside any file.
A .dwg file with embedded VBA macros contains an OLE file. You can now search for embedded OLE files using option "-f l" (letter l, for list), like this:
From this output, we can tell that the .dwg file contains an OLE file at position 0x8090.
We can select this embedded file for analysis using option "-f 1" (number 1), like this:
And then you can just use familiar options, like -s -v, to analyze the macros.
I also produced a video on .dwg files with embedded VBA macros: