Common Information
Type Value
Value
VBA Stomping - T1564.007
Category Attack-Pattern
Type Mitre-Attack-Pattern
Misp Type Cluster
Description Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020) MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream) An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)
Details Published Attributes CTI Title
Details Website 2024-09-05 24 Analyzing Malicious .DOCX file with Oletools and more.
Details Website 2023-10-09 45 R2R stomping – are you ready to run? - Check Point Research
Details Website 2022-08-10 486 VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges
Details Website 2022-01-12 10 How to Analyze Malicious Microsoft Office Files - Intezer
Details Website 2021-02-01 728 What tracking an attacker email infrastructure tells us about persistent cybercriminal operations - Microsoft Security Blog
Details Website 2020-12-15 9 InfoSec Handlers Diary Blog - SANS Internet Storm Center
Details Website 2020-11-19 20 Purgalicious VBA: Macro Obfuscation With VBA Purging | Mandiant
Details Website 2020-02-25 6 Evidence of VBA Purging Found in Malicious Documents
Details Website 2020-02-05 191 STOMP 2 DIS: Brilliance in the (Visual) Basics | Mandiant
Details Website 2018-01-16 18 Hunting Malicious Macros - Pwntario Team Blog