Матрица MITRE ATT&CK

Technique on mitre.org

T1564.007: VBA Stomping

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.

MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.

An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.

Positive Technologies products that cover the technique

Description of detection methods is not available yet

Detection

ID	DS0012	Data source and component	Script: Script Execution	Description	Detection efforts should be placed finding differences between VBA source code and p-code. VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.

ID	DS0022	Data source and component	File: File Metadata	Description	If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the `PROJECT` stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the `PROJECT` stream will inhibit attempts of reading the VBA source code through the GUI.

ID	Data source and component	Description
DS0012	Script: Script Execution	Detection efforts should be placed finding differences between VBA source code and p-code. VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.
DS0022	File: File Metadata	If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the `PROJECT` stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the `PROJECT` stream will inhibit attempts of reading the VBA source code through the GUI.

Mitigation

ID	M1042	Name	Disable or Remove Feature or Program	Description	Turn off or restrict access to unneeded VB components.

ID	Name	Description
M1042	Disable or Remove Feature or Program	Turn off or restrict access to unneeded VB components.