A VBA P-Code Disassembler
Publication Type:Conference Paper
Source:DIGILIENCE 2019, Sofia, Bulgaria (2019)
Keywords:Macros, malware, Microsoft Office, VBA, Visual Basic for Applications
Recently, we have observed a significant increase in the frequency with which Microsoft Office macros are being used as an attack vector. Microsoft Office uses a macro programming language called Visual Basic for Applications (VBA), which is powerful enough to do whatever the attacker needs. Usually, the malicious VBA macros are used to download the second stage of the malware (ransomware, banking Trojan, backdoor, etc.). They can be relatively small and are easy to modify or even to completely rewrite them each time, thus making them difficult to detect at the perimeter defenses (e.g., with an e-mail scanner) with known-malware detection tools.
So far, we have seen malicious VBA macros being distributed with Microsoft Word, Excel, PowerPoint, Access, Visio, Project and Publisher documents. Microsoft Office has built-in protections against execution of foreign macros, but unless properly administered, they are easy for the user to disable and the malicious documents usually use some form of social engineering to convince the user to do so. Therefore, we need proper tools for inspecting the macro content of the received documents, in order to decide whether it contains any malicious code. During our research we have discovered that the publicly available tools lack the capability to discover all forms in which a malicious macro can exist. We have applied our findings from reverse-engineering the formats of Microsoft Office documents and have created a tool, which allows disassembling of the p-code into which VBA is compiled.
This paper is included in the program of DIGILIENCE 2019 and will be published in the post-conference volume.