oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

olevba, oleid: add detection for CustomXML parts

Open decalage2 opened this issue 3 years ago • 1 comments

See https://inquest.net/blog/2022/10/03/hiding-xml for an example of VBA macro using CustomXML to store a payload.

Also a new keyword ActiveDocument.CustomXMLParts to be added: https://learn.microsoft.com/en-us/office/vba/api/Office.CustomXMLParts

decalage2 avatar Oct 04 '22 08:10 decalage2

Another sample & vba snippet worth taking a look ¯_(ツ)_/¯

https://github.com/mgeeky/CustomXMLPart

mgeeky avatar Dec 08 '22 18:12 mgeeky