In diary entry "AV Cleaned Maldoc" I analyze a malicious document with VBA code that has been removed by anti-virus.

As the VBA code has been wiped, no M or m indicators are present:

I've updated my oledump.py to add a ! indicator for such streams:

I also compiled an overview of oledump's indicators.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com