Re: how to tell if anything evil lurking in an .xls file?

[Nano Nano <40208.nospam@comcast.net>]

On Thu, Feb 12, 2004 at 02:52:53AM +0800, Dan Jacobson wrote:
> All along there is no tool to view all of what's inside an .xls file
> in cleartext or whatever.  All I can use is less(1). All I can do is
> trust that other programs are doing the right thing inside their black
> boxes.  There is no total dumper that shows what is going on in every
> part of the .xls file.

Both .doc and .xls files are OLE Structure Storage documents, which are 
minature file systems: they contain any number of streams stored in a 
hierarchical fashion.  Each stream has a name, a type (I think it's 
numeric or can be a string?), and a sequence of bytes.

All files will contain a "version info" stream for which there is a 
pubic spec.  There are also several streams of various types, the main 
document stream, various revision streams, some bookkeeping streams, and 
the VBA code (the nastiness) in a stream.

The hard part about importing those docs is interpreting the document 
streams, as that spec isn't public.  But it should be easy to enumerate 
the streams and tell if any are the VBA type.  I am making 
unsubstantiated assertions here but I believe data and code streams are 
separate, and VBA streams can be readily identified by name or type.