VBA Stomping

Adversaries may hide malicious Visual Basic Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.

MS Office documents with embedded VBA Content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.

An adversary may hide malicious VBA code by overwriting the VBA source code location with zero's, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.

VBA Macros Advanced

Evil Clippy

Evil Clippy a tool released in BlackHat Asia in 2019 it is a a maldoc assistant which help's red teams to bypass popular AV and get an initial foothold, in this category we will focus on the VBA Stomping technique. Discovered years ago by Dr. Vesselin Bontchev (here). At a high level explanation of this attack by creating a malicious document we can actually add a non-malicious macro into the source code of the file, as explained by Dr. Bontchev what actually executes is the p-code stored in the document as long as it's compatible with the current VBA version.

Let's work with some samples a Non-malicious Macro is created. A message box is to be displayed when the document is opened.

Now from here we want to modify the VBA source code utilized while leaving the p-code unchanged. To edit this file you will unzip it and edit the vbaProject.bin file using a hex editor, but only withing the VBA source code storage location, not the p-code section.

Now that the VBA source code has been manually edited we will open the document and inspect the VBA Code BEFORE the "Enable Content" button is clicked.

We see here that the source-code still displays XYZ but in fact once the content is enabled we see a message box displaying "ABC"

Well what happened here?. Our source code stated that XYZ was going to be executed but instead ABC was displayed and later on our Code updated to match the execution.


Last updated