Drop an Office document below — .doc, .docx, .docm, .xls, .xlsx, .xlsm, .ppt, .pptm, .xlsb, MHTML, Word 2003 XML — and this page will extract any VBA macros and run static IOC analysis against them.
It's a single static page running oletools via Pyodide (CPython compiled to WebAssembly). Initial load is ~10 MB while the runtime warms up; after that, analysis is instant.
your file never leaves this browser tab
This page runs olevba — the standard VBA macro extraction tool from Philippe Lagadec's python-oletools suite — directly inside your browser. It parses Microsoft Office documents, extracts any embedded VBA macros, and runs static analysis to surface auto-execution hooks, suspicious API calls, and indicators of compromise such as URLs, IPs, and executable filenames.
Most online olevba services upload your file to their server. That is a problem if you are handling malware samples under NDA, working with classified material, or simply don't want a random third party holding onto your incident-response evidence. This tool ships a full CPython runtime (Pyodide) and oletools to your browser on first load — every byte of analysis happens locally in the tab. No upload endpoint exists.
Word 97–2003 (.doc, .dot) and Word 2007+ (.docm, .dotm); Excel 97–2003 (.xls) and Excel 2007+ (.xlsm, .xlsb, .xltm), including XLM / Excel 4 macros; PowerPoint 97–2003 (.ppt) and PowerPoint 2007+ (.pptm, .potm, .ppam); plus MHTML and Word 2003 XML containers. If olevba can read it on the command line, this page can read it too.
Is the document uploaded anywhere? No. The page is static HTML, JavaScript and WebAssembly. There is no backend. You can verify this in your browser's network tab — once the Pyodide runtime and oletools wheels are loaded, no further requests happen during analysis.
What does the IOC analysis detect? Auto-executable macros (AutoOpen, AutoExec, Document_Open, etc.), suspicious Win32 API calls (Shell, CreateObject, URLDownloadToFile, WScript.Shell, etc.), embedded URLs and IP addresses, base64, hex, StrReverse and Dridex-encoded strings, and the full olevba keyword set.
Does it work offline? Yes — once Pyodide is cached by the browser, a hard refresh works without network. The first load needs internet because the WASM runtime is roughly 10 MB.
How does it compare to running olevba locally? Same library, same parser, same results. The browser version trades a slow initial load for the convenience of having nothing to install and no risk of cross-contaminating your workstation with a sample.
Can it analyze password-protected documents? msoffcrypto-tool is part of the loaded dependency set, so encrypted Office documents can be processed if olevba can decrypt them with common default passwords. Custom passwords are not currently wired up in the UI.