Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VBE: Encoded VBS Script

Published: 2016-03-29
Last Updated: 2016-03-29 19:15:45 UTC
by Didier Stevens (Version: 1)
1 comment(s)

A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:

The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.

You can find here.

And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.

You can find my YARA rule here.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
IT Security consultant at Contraste Europe.

Keywords: maldoc VBE
1 comment(s)
ISC Stormcast For Tuesday, March 29th 2016
Diary Archives