THis is still on going
- peepdf
- open in linux with libre office, tools -> macros -> edit and u can see
- run in sandbox, see result
- viper monkey https://github.com/decalage2/ViperMonkey
- oledump.py
python3 ../oledump.py -s 34 --vbadecompressskipattributes sample.bin, may need to leave out vbadecompressskipattributes for other objects
- https://isc.sans.edu/diary/Malicious+RTF+Files/21315
- https://forensicskween.com/ctf/cyberdefenders/emprisa-maldoc/
- normal IDA, ghidra stuffs
- try debugging as well.