Add "Modules" as keyword for self-modification

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.81k stars 560 forks source link

Add "Modules" as keyword for self-modification #823

Open DecimalTurn opened 9 months ago

DecimalTurn commented 9 months ago

I recently found this question on Stack Overflow, it shows how to import a new code module in VBA using the Modules object.

Here's a simplified snippet that illustrates how it works:

    Dim ThisModule As Module
    Set ThisModule = ThisWorkbook.Modules.Add
    ThisModule.InsertFile "C:\Users\(username)\Desktop\..."

I always thought you had to use VBComponents.Import, but turns out there is this undocumented method as well.

DecimalTurn commented 1 month ago

For the record, the snippet of code above won't be flagged by olevba as malicious, but does manage to import a VBA module even if "trust access to the vba project object model" is disabled!