Last Updated: 2016-03-29 19:15:45 UTC
by Didier Stevens (Version: 1)
A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:
The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.
You can find decode-vbe.py here.
And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.
You can find my YARA rule here.