VBA for the masses presented at GreHack 2019

by Jonas Zaddach,

Summary : Even though VBA macros have been a major entrance route for malware for quite some time, little work has been published on analysis tools. Malware authors are eschewing static pattern-based signatures with relatively simple string obfuscation, but since Microsoft Office is de-facto the only platform to execute VBA macros, dynamic analysis requires a full VM with Office. As a result, observables are noisy and course-grained, mostly limited to file system and network activity. This talk proposes a sandboxed interpreter for VBA macros. The interpreter is more faithful in its behavior than any other VBA analysis tool currently available, allowing it to execute most macro code in the wild. It is fast, delivering results in a few seconds. The Java code is easily extensible to cover new VBA functions used by malware. In summary, this VBA interpreter is an open source solution to identify malicious VBA macros in Microsoft Office documents. It is much faster than current solutions based on full VM emulation, more faithful than approximative approaches to malicious macro detection such as SpiderMonkey’s constant propagation, and outputs observables such as generated files, accessed URLs and invoked command lines for further processing.