Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

Maldoc: VBA Purging Example

Published: 2020-07-12
Last Updated: 2020-07-12 22:08:14 UTC
by Didier Stevens (Version: 1)
1 comment(s)

An anonymous reader asked if the malicious document Brad discussed in his latest diary entry, was "purged". VBA purging means that the compiled VBA code (PerformanceCache) is missing.

And indeed, if you use my tool with option -i, you get more information and you can see that the PerformanceCache data is not present:

0+2359 means that the size of the PerformanceCache data is 0, and that the size of the CompileSourceCode data is 2359 bytes: this VBA code is indeed purged.

I took a look at the metadata to get an indiction if the document was created with Office and then VBA purged, or if a custom tool was used that does not generate PerformanceCache data. Since it is an OOXML file, I looked for the properties XML files (docProps):

And as you can see, the metadata is missing too.

It's not that the docProps files have been deleted, they are also not referenced in the Content_Types file:

I need to take a better look to have more confidence, but now I would be inclined to think that this document was created with a custom tool.

Update: I just noticed that the VBA code is also password protected.

Update 2: I have even more confidence, now I'm thinking this document was created with C# library EPPlus.


Didier Stevens
Senior handler
Microsoft MVP

Keywords: maldoc purging vba
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Scanning Home Internet Facing Devices to Exploit
Jul 11th 2020
1 day ago by Guy (0 comments)

Excel spreasheet macro kicks off Formbook infection
Jul 10th 2020
3 days ago by Brad (0 comments)

Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688
Jul 9th 2020
4 days ago by Johannes (0 comments)

If You Want Something Done Right, You Have To Do It Yourself... Malware Too!
Jul 8th 2020
5 days ago by Xme (0 comments)

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt
Jul 7th 2020
5 days ago by Renato (0 comments)

Happy Birthday DShield: was registered 20 years ago.
Jul 7th 2020
5 days ago by Johannes (0 comments)

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits
Jul 7th 2020
5 days ago by Johannes (0 comments)

CVE-2020-5902: F5 BIG-IP RCE Vulnerability
Jul 6th 2020
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Security Policies
created Jun 30th 2020
1 week ago by Anonymous (1 reply)

IP Address from Hex
created Apr 15th 2020
2 months ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
2 months ago by ismicok (0 replies)
created Mar 10th 2020
4 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
4 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)