Introduction This post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of tools and approach to analyse phishing documents. Tools Didier Stevens Suite sudo pip install oletools Analysis All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. Hash: 345b804a9416595840516674caaa65e65be57591d300beab2b6190298a9eac78 Download above mentioned sample and check the integrity Check the file properties using native Linux file command which gives quick idea about sample Ran o ledump.py to check the embedded macros and macro related forms It was found that stream 14 and 15 look like macro forms. Dump them using -d option to check anything suspicious content in it Wow ! Hex 4