ActivceDocument variable content value implemented?

[Nicceboy]

Is your feature request related to a problem? Please describe.

Is function ActiveDocument.Variables("<name>").Value() from VBA implemented for emulation?

Many maldocs contain data in those variables, and at least for me, it seems that this is not implemented, or maybe I'm missing something. It might be hard to implement though.

When executing this particular line:

INFO     calling Function: Value()
WARNING  Function 'Value' not found

In this particular case, encryption key is stored into Variables and deobfuscation is hard, since content is not acquired.

Describe the solution you'd like Consider implementing function

[kirk-sayre-work]

Can you provide a couple of hashes of maldocs on VT that use this? I'll use those for dev and testing.

[decalage2]

Please note that the extraction of document variables has been implemented in olefile in this PR: https://github.com/decalage2/olefile/pull/114 It's available in the development version of olefile on Github, not yet in the released version on PyPI. I plan to move it to oletools in the future, because it doesn't fit well in olefile, but for the moment it's available there.

[Nicceboy]

I cannot access example maldocs right now (and for some time), but at least VBad https://github.com/Pepitoh/VBad obfuscation tool generates obfuscated documents using the document variables.