VBA Purging — How Effective Is It?

A Quick Intro to VBA and Document File Formats

Figure 1 — A compound file hierarchy with storage and stream objects. Courtesy: Microsoft
Figure 2 — VBA storage hierarchy following the compound file format. Courtesy: Microsoft
Figure 3 — Module Streams of a VBA project. Courtesy: Nviso
Figure 4 — A sample document with macros and the VBA structure where ‘ThisDocument’ is the Module Stream

Is it Stomped or Purged?

Figure 5 — Purged and non-purged documents and the differences between them
Figure 6 — Using the -i parameter in oledump to visualize PerformanceCache and CompressedSourceCode sections in Module1 on the non-purged document
Figure 7 — Same view for the purged document shows no PerformanceCache section
Figure 6 — Strings in the non-purged document
Figure 7 — Strings from the Purged document which have the same functionality yet are compressed

What’s The Next Step for Defense?

  • Train employees to pick apart malicious from harmless documents
  • Disable macros if not necessary
  • Use antimalware products to detect malicious documents containing malicious macros or VBA code
  • If macros can’t be disabled, make sure only signed macros are run or they are in trusted files
  • Block macros in Office to run from the Internet (often used for template injections). Excellent coverage by Microsoft to utilize Group Policies to enforce the change across the environment

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀