VBA Purging — How Effective Is It?

A Quick Intro to VBA and Document File Formats

VBA, an abbreviation for Visual Basic Applications, is a programming language used to extend the functionality of Microsoft Office applications. Through the power of a small piece of (macro) code, you could do so much for automation, repetition, and general administration tasks. Owing to the powerful nature of the language, it didn’t take long before malicious macro codes were mainstreamed and now account for majority of the malicious attachments sent via emails.

Figure 1 — A compound file hierarchy with storage and stream objects. Courtesy: Microsoft
Figure 2 — VBA storage hierarchy following the compound file format. Courtesy: Microsoft
Figure 3 — Module Streams of a VBA project. Courtesy: Nviso
Figure 4 — A sample document with macros and the VBA structure where ‘ThisDocument’ is the Module Stream

Is it Stomped or Purged?

VBA stomping or purging revolve around the aforementioned sections in the module streams. VBA Stomping came to light in 2018 when security researchers from Walmart explored the possibility of removing the CompressedSourceCode section of the module stream without impacting the execution of the macro but thwarting defenses set to detect strings with great efficiency. Though this is great in theory, recall the fact that if the source code for the macro is removed, the Office application will immediately fall back to the compiled code. What happens if the version and architecture don’t match? Nothing!

Figure 5 — Purged and non-purged documents and the differences between them
Figure 6 — Using the -i parameter in oledump to visualize PerformanceCache and CompressedSourceCode sections in Module1 on the non-purged document
Figure 7 — Same view for the purged document shows no PerformanceCache section
Figure 6 — Strings in the non-purged document
Figure 7 — Strings from the Purged document which have the same functionality yet are compressed

What’s The Next Step for Defense?

VBA purging can make static analysis a tad-bit hard and leave IDS or Yara rules useless since the static strings they rely on are available in the P-code section. For example, the shell creation of object creation function CreateObject won’t be available in the CompressedSourceCode section as a single string but would most probably be broken down.

  • Disable macros if not necessary
  • Use antimalware products to detect malicious documents containing malicious macros or VBA code
  • If macros can’t be disabled, make sure only signed macros are run or they are in trusted files
  • Block macros in Office to run from the Internet (often used for template injections). Excellent coverage by Microsoft to utilize Group Policies to enforce the change across the environment

Conclusion

Office documents and their popularity amongst masses will keep attracting malicious users to try and evade defenses using new techniques. VBA purging is one such technique which breaks traditional defenses or weakens them. It is imperative to instruct end-users to ensure the authenticity of a document before opening it and to stay wary of documents which appear anomalous from the get-go.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store