VBA Macros

oletools - python tools to analyze OLE and MS Office files

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on my olefile parser. 

Advanced VBA Macros Attack & Defence - Black Hat Europe 2019

Presentation at Black Hat Europe 2019, about malicious VBA Macros and recent advances in the attack and defense sides.

VBA Macros Pest Control - THC 2017

Presentation at the Toulouse Hacking Convention 2017 (3rd March 2017) about Malicious VBA Macros: what they can do, how to analyze them, and how we can detect and block them before they hit end-users.

Updated on the 24th August 2017 for the International Cyber Security Summer School.

Tip: How to download thousands of MS Office files for testing

When developing tools related to MS Office files such as olefile and oletools, it is often necessary to test them on many different samples of various types and sizes. It is quite easy to find malicious samples using malwr.com, hybrid-analysis.com and VirusTotal, just to name a few (see my previous post about that topic). However, finding and downloading a large number of legitimate files is a different challenge. Here are some tips to do it:

Tools to extract VBA Macro source code from MS Office Documents

This article presents several tools that can be used to extract VBA Macros source code from MS Office Documents, for malware analysis and forensics. It also provides an overview of how VBA Macros are stored.

VBA Macro analysis: Beware of the Shift Key!

Many malware analysts like to use the VB Editor in MS Word or Excel to analyze malicious macros, because it provides a nice debugging environment. It is a convenient solution to run VBA code in its native context, in order to unmask heavily obfuscated macros.

Using VBA Emulation to Analyze Obfuscated Macros

ViperMonkey is an experimental toolkit that I have been developing since early 2015, to parse VBA macros and emulate their execution. This articles shows how it can be used to analyze obfuscated macros and extract hidden strings/IOCs.

Malware Search

This custom Google search engine helps you find malware samples containing specific strings, filenames, hashes or other IOCs. It uses the data indexed by several websites including malwr.com, hybrid-analysis.com, virustotal.com and virusshare.com.

For example, search "VB_Nam" to find malicious VBA macros, or "\objdata" to find RTF files with OLE Package objects.

How to detect most malicious macros without an antivirus

mraptor is a simple tool designed to detect malicious VBA macros in MS Office files, based on characteristics of the VBA code. This article explains how it works, and how it can be used in practice.

8KB of malware crammed into a single command line in a macro

A few days ago, @Bry_Campbell told me about a strange sample with a malicious macro, that could not be fully analyzed with online sandboxes and the usual tools.

Syndicate content