I test pcodedmp against one Word doc VBA Malware and find it is not disassembling, attached pls find the dump, I get similar result as olevba.py, why pcodedmp fail, I attach the dump. this malware use vba to generate powershell script when word doc is opened. how can i capture powershell script cmmdlet? or other meaningful result?
malware_export.txt

I am sorry, but I have a problem understanding what you are trying to say. If olevba is not working, it's possible that the document is somehow malformed - the recent Emotet samples are like that. I think the author of olevba released a new version to handle that. My program uses his library (oletools), so this might be the cause of the problem. Try updating to a newer version of olevba.

My program is a p-code disassembler - it is not an emulator or anything like that. It will show you the compiled p-code instructions but won't emulate them and won't tell you what they do.

In any case, I need an actual document demonstrating the problem - not the text output of my script when run on it, which is what you seem to have provided.

Finally, my main computer broke and I'll need a few days to have it fixed, so don't wonder if I'm not replying quickly.

If you get an error with olevba such as "can't concat str to bytes" then please try installing the latest dev version of oletools: https://github.com/decalage2/oletools/wiki/Install#how-to-install-the-latest-development-version
It seems many maldocs trigger that kind of error these days, the latest dev version fixes it.
If it does not fix the error you're seeing, please open an issue on the oletools repo and provide the sample so that I test it.

Hi, there is no error in both olevba and pcodedmp, I mean pcodedmp can't deobfuscate the sample, I attach the sample, pls rename *.jpg to *.doc, and you will find out.
Meantime, can you suggest one tool which can emulate so i can capture powershell cmdlet script when i open this document? once i do the experiment, i will update you and to further enhace pcodedmp functionality to detect and deobfuscate such kind of macro

pcodedmp is not meant to deobfuscate malware or to emulate its execution, it shows a disassembly of the VBA P-code.
If you want to emulate the execution of VBA macros, then try ViperMonkey: https://github.com/decalage2/ViperMonkey or the development version which is more up to date: https://github.com/kirk-sayre-work/ViperMonkey

OK, I think I can safely close the issue now, since it doesn't seem to be a problem in the program but a misunderstanding of what the program is supposed to do. If I have misunderstood and there actually is a problem in pcodedmp, please explain it more clearly and I'll re-open the issue.