Common Information
Type | Value |
---|---|
Value |
VBA Stomping - T1564.007 |
Category | Attack-Pattern |
Type | Mitre-Attack-Pattern |
Misp Type | Cluster |
Description | Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020) MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream) An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev) |
Details | Published | Attributes | CTI | Title | ||
---|---|---|---|---|---|---|
Details | Website | 2024-09-05 | 24 | Analyzing Malicious .DOCX file with Oletools and more. | ||
Details | Website | 2023-10-09 | 45 | R2R stomping – are you ready to run? - Check Point Research | ||
Details | Website | 2022-08-10 | 486 | VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges | ||
Details | Website | 2022-01-12 | 10 | How to Analyze Malicious Microsoft Office Files - Intezer | ||
Details | Website | 2021-02-01 | 728 | What tracking an attacker email infrastructure tells us about persistent cybercriminal operations - Microsoft Security Blog | ||
Details | Website | 2020-12-15 | 9 | InfoSec Handlers Diary Blog - SANS Internet Storm Center | ||
Details | Website | 2020-11-19 | 20 | Purgalicious VBA: Macro Obfuscation With VBA Purging | Mandiant | ||
Details | Website | 2020-02-25 | 6 | Evidence of VBA Purging Found in Malicious Documents | ||
Details | Website | 2020-02-05 | 191 | STOMP 2 DIS: Brilliance in the (Visual) Basics | Mandiant | ||
Details | Website | 2018-01-16 | 18 | Hunting Malicious Macros - Pwntario Team Blog |