Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: CAD: .DGN and .MVBA Files SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CAD: .DGN and .MVBA Files

Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code.

MicroStation is CAD software, and it can run VBA code.

I've never been given malicious MicroStation files, but recently I've been given a normal drawing (.dgn) and a script file (.mvba).

To be clear: these are not malware samples, the files were given to me so that I could take a look at the internal file format and report it.

Turns out that both files are "OLE files", and can thus be analyzed with my oledump.py tool.

Here is the .DGN file:

It's an OLE file with storage (folder) Dgn-Md containing other storages and streams.

And the metadata identifies this as a MicroStation file (I'm using tail to filter out the thumbnail data):

It does not contain VBA code: AFAIK, .DGN files can not contain VBA code. Please post a comment if I'm wrong, or if you can share a sample .DGN file containing VBA code.

The VBA script file, with extension .MVBA, is also an OLE file with VBA code streams:

Here too, the M indicator alerts us to the presence of VBA code. It can be extracted with oledump:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

553 Posts
ISC Handler
Apr 26th 2021

Sign Up for Free or Log In to start participating in the conversation!