Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code.
MicroStation is CAD software, and it can run VBA code.
I’ve never been given malicious MicroStation files, but recently I’ve been given a normal drawing (.dgn) and a script file (.mvba).
To be clear: these are not malware samples, the files were given to me so that I could take a look at the internal file format and report it.
Turns out that both files are “OLE files”, and can thus be analyzed with my oledump.py tool.
Here is the .DGN file:
It’s an OLE file with storage (folder) Dgn-Md containing other storages and streams.
And the metadata identifies this as a MicroStation file (I’m using tail to filter out the thumbnail data):
It does not contain VBA code: AFAIK, .DGN files can not contain VBA code. Please post a comment if I’m wrong, or if you can share a sample .DGN file containing VBA code.
The VBA script file, with extension .MVBA, is also an OLE file with VBA code streams:
Here too, the M indicator alerts us to the presence of VBA code. It can be extracted with oledump:
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.