VBA Purging — How Effective Is It?

A Quick Intro to VBA and Document File Formats

Figure 1 — A compound file hierarchy with storage and stream objects. Courtesy: Microsoft
Figure 2 — VBA storage hierarchy following the compound file format. Courtesy: Microsoft
Figure 3 — Module Streams of a VBA project. Courtesy: Nviso
Figure 4 — A sample document with macros and the VBA structure where ‘ThisDocument’ is the Module Stream

Is it Stomped or Purged?

Figure 5 — Purged and non-purged documents and the differences between them
Figure 6 — Using the -i parameter in oledump to visualize PerformanceCache and CompressedSourceCode sections in Module1 on the non-purged document
Figure 7 — Same view for the purged document shows no PerformanceCache section
Figure 6 — Strings in the non-purged document
Figure 7 — Strings from the Purged document which have the same functionality yet are compressed

What’s The Next Step for Defense?

Conclusion

--

--

--

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

This Awesome Stuff Will Make You Understand What Red Team And Blue Team Is

Cybercrimes and cybersecurity, challenges for companies and countries

We need Digital Trust (an RFC)

HTTPS or HTTP Secure and how to migrate and redirect from HTTP to HTTPS

I use LunarCrush to track social insights for cryptocurrencies. Check it out!

Major LinkedIn Exposure

Opting Out

How To Add Two Factor Authentication (2FA) To Golix (Bit Fundi)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

More from Medium

CyberEd #8 Cybersecurity Automation Is Necessary

The Weekly Threat 5–17–2022

“That SweetPot of Data Net-tar” My first Honey Pot Walkthrough Part 2

Cybersecurity And Much More Newsletter — Week 09 (2022)