Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Tuesday, September 27th 2016
ISC Stormcast For Monday, September 26th 2016

VBA and P-code

Published: 2016-09-26
Last Updated: 2016-09-26 10:32:27 UTC
by Didier Stevens (Version: 1)
3 comment(s)

I want to draw your attention to some great work Dr. Bontchev did. is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his tool for his PoC document:

python -d poc2b.doc

Processing file: poc2b.doc
Module streams:
Macros/VBA/ThisDocument - 1949 bytes
Line #0:
        FuncDefn (Sub / Property Set) func_00000078
Line #1:
        LitStr 0x001D "This could have been a virus!"
        Ld vbInformation
        Ld vbOKOnly
        LitStr 0x0006 "Virus!"
        ArgsCall MsgBox 0x0003
Line #2:
        LitStr 0x0008 "calc.exe"
        ArgsCall Shell 0x0001
Line #3:


Dr. Bontchev also coded a plugin for oledump.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: maldoc pcode vba
3 comment(s)
Diary Archives