olevba: detect VBA Purging

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.88k stars 565 forks source link

olevba: detect VBA Purging #537

Open decalage2 opened 4 years ago

decalage2 commented 4 years ago

It may be interesting to detect VBA Purging (when VBA P-Code has been removed and only compressed VBA source code is left), as explained in this article: https://blog.nviso.eu/2020/02/25/evidence-of-vba-purging-found-in-malicious-documents/ More VBA Purging links:

sample: https://app.any.run/tasks/562fdaea-ea69-47cf-aec9-023a53f700af/#
https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/

decalage2 commented 3 years ago

See also OfficePurge to generate samples:

https://github.com/fireeye/OfficePurge
https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html