*.doc
MS Word Document in binary proprietary file format (Compound File Binary Format) used in Office < 2007
*.xls
MS Excel Workbook in binary proprietary file format (Compound File Binary Format) used in Office < 2007
*.docx
MS Word Document in “Microsoft Office Open XML” file format used since Office 2007, no macro.
Zip container with XML files in it.
*.xlsx
MS Excel Workbook in “Microsoft Office Open XML” file format used since Office 2007, no macro.
Zip container with :
– Data stored in XML files in it
*.docm
MS Word Document in “Microsoft Office Open XML” file format used since Office 2007, can contain macros.
Zip container with XML files in it
Macros are stored in OLE2 binary file
*.xlsm
MS Excel Workbook in “Microsoft Office Open XML” file format used since Office 2007, can contain macros.
Zip container with :
– Data stored in XML files in it
– Macros stored in binary file (xl/vbaProject.bin)
macro code in “ThisWorkbook”
empty macro in “Sheet1”
“M” = macro with code in “ThisWorkbook”
“m” = macro without code in “Sheet1”
“-s 4” = select 4th stream (A4 in this example)
“-v” = decompressed the stream to show readable VBA code
*.xlsb
MS Excel Binary Workbook in “Microsoft Office Open XML” file format used since Office 2007, can contain macros.
Intended especially for very large documents with tens of thousands of rows, and/or several hundreds of columns.
Zip container with binary files in it (instead of XML files used in *.xlsm)
Macros are stored in OLE2 binary file
Tools
oletools (from Philippe Lagadec “decalage2”)
DidierStevensSuite (from Didier Stevens) : contains oledump.py
XLMMacroDeobfuscator (from Malwrologist “DissectMalware”)