Information Gathering

Vba2Graph – Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

A tool for security researchers, who waste their time analyzing malicious Office macros.

Generates a VBA call graph, with potential malicious keywords highlighted.
Allows for quick analysis of malicous macros, and easy understanding of the execution flow.


  • Keyword highlighting
  • VBA Properties support
  • External function declarion support
  • Tricky macros with “_Change” execution triggers
  • Fancy color schemes!


  • Pretty fast
  • Works well on most malicious macros observed in the wild


  • Static (dynamicaly resolved calls would not be recognized)

Example 1:
Trickbot downloader – utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.

Example 2:

Check out the Examples folder for more cases.


Install oletools:

Install Python Requirements

pip2 install -r requirements.txt

Install Graphviz

Install Graphviz msi:

Add “dot.exe” to PATH env variable or just:

set PATH=%PATH%;C:Program Files (x86)Graphviz2.38bin


brew install graphviz


sudo apt-get install graphviz


sudo pacman -S graphviz


usage: [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
output folder (default: "output")
-c {0,1,2,3}, --colors {0,1,2,3}
color scheme number [0, 1, 2, 3] (default: 0 - B&W)
-i INPUT, --input INPUT
olevba generated file or .bas file
-f FILE, --file FILE Office file with macros

Usage Examples (All Platforms)
Only Python 2 is supported:

# Generate call graph directly from an Office file with macros [tnx @doomedraven]
python2 -f malicious.doc -c 2
# Generate vba code using olevba then pipe it to vba2graph
olevba malicious.doc | python2 -c 1
# Generate call graph from VBA code
python2 -i vba_code.bas -o output_folder

You’ll get 4 folders in your output folder:

  • png: the actual graph image you are looking for
  • svg: same graph image, just in vector graphics
  • dot: the dot file which was used to create the graph image
  • bas: the VBA functions code that was recognized by the script (for debugging)

Batch Processing

Mac/Linux: script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.


About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: