VBA Purging

Created the Friday 20 September 2024. Updated 3 weeks, 4 days ago.

VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with associated streams like _SRP_, which contain version-dependent compiled code data. Additionally, the MODULEOFFSET is set to 0 to indicate there is no compiled code.

By eliminating the PerformanceCache and its related components, VBA Purging prevents static analysis tools, antivirus programs, and YARA rules from detecting suspicious strings typically found in compiled VBA macros. The document retains its compressed VBA source code, but the compiled code, which many detection tools rely on, is no longer present. As a result, macros can still run using the decompressed source code, but security systems are less likely to detect them.

This technique is particularly useful for attackers as it significantly reduces detection rates in environments like VirusTotal, where purged documents show a much lower detection rate compared to non-purged versions.

Technique Identifier

U0524

Detection Rules

                                    rule FEYE_OLE_VBAPurged_2 {
    meta:
        author = "Michael Bailey (@mykill), Jonell Baltazar, Alyssa Rahman (@ramen0x3f), Joseph Reyes"
        description = "This file has a suspicious _VBA_PROJECT header and a small _VBA_PROJECT stream. This may be evidence of the VBA purging tool OfficePurge or a tool-generated document."
    strings:
        $vba_proj = { 5F 00 56 00 42 00 41 00 5F 00 50 00 52 00 4F 00 4A 00 45 00 43 00 54 00 00 00 00 00 00 00 00 00 }
        $cc61 = {CC 61 FF FF 00 00 00}
    condition:
        uint32(0) == 0xe011cfd0 and ( uint32(@vba_proj[1] + 0x78) >= 0x07 ) and ( uint32(@vba_proj[1] + 0x78) < 0xff ) and $cc61
}

Contributors

Sylvain Bruyere (sbruyere)

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.