We can use oledump
to dump all the streams:
$ oledump.py sample.bin
1: 114 '\\x01CompObj'
2: 4096 '\\x05DocumentSummaryInformation'
3: 4096 '\\x05SummaryInformation'
4: 7119 '1Table'
5: 101483 'Data'
6: 581 'Macros/PROJECT'
7: 119 'Macros/PROJECTwm'
8: 12997 'Macros/VBA/_VBA_PROJECT'
9: 2112 'Macros/VBA/__SRP_0'
10: 190 'Macros/VBA/__SRP_1'
11: 532 'Macros/VBA/__SRP_2'
12: 156 'Macros/VBA/__SRP_3'
13: M 1367 'Macros/VBA/diakzouxchouz'
14: 908 'Macros/VBA/dir'
15: M 5705 'Macros/VBA/govwiahtoozfaid'
16: m 1187 'Macros/VBA/roubhaol'
17: 97 'Macros/roubhaol/\\x01CompObj'
18: 292 'Macros/roubhaol/\\x03VBFrame'
19: 510 'Macros/roubhaol/f'
20: 112 'Macros/roubhaol/i05/\\x01CompObj'
21: 44 'Macros/roubhaol/i05/f'
22: 0 'Macros/roubhaol/i05/o'
23: 112 'Macros/roubhaol/i07/\\x01CompObj'
24: 44 'Macros/roubhaol/i07/f'
25: 0 'Macros/roubhaol/i07/o'
26: 115 'Macros/roubhaol/i09/\\x01CompObj'
27: 176 'Macros/roubhaol/i09/f'
28: 110 'Macros/roubhaol/i09/i11/\\x01CompObj'
29: 40 'Macros/roubhaol/i09/i11/f'
30: 0 'Macros/roubhaol/i09/i11/o'
31: 110 'Macros/roubhaol/i09/i12/\\x01CompObj'
32: 40 'Macros/roubhaol/i09/i12/f'
33: 0 'Macros/roubhaol/i09/i12/o'
34: 15164 'Macros/roubhaol/i09/o'
35: 48 'Macros/roubhaol/i09/x'
36: 444 'Macros/roubhaol/o'
37: 4096 'WordDocument'
The highest VBA macro is number 16.
olevba
is a good tool for getting more information about macros. I've cropped the output.
$ olevba sample.bin
[..]
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |Document_open |Runs when the Word or Publisher document is |
| | |opened |
[..]
Alternatively, we can open the malicious document and view (edit) the macro. I did so using LibreOffice Writer.
One easy way is to compare the filehash to online databases such as URLhaus. Otherwise I'd have to reverse-engineer the script, decipher the functionality, and cross-reference that with known malware.
$ sha256sum sample.bin
d50d98dcc8b7043cb5c38c3de36a2ad62b293704e3cf23b0cd7450174df53fee sample.bin