VBA Purging

Created the Friday 20 September 2024. Updated 1 month, 4 weeks ago.

VBA Purging is an obfuscation technique designed to evade detection mechanisms used in malware analysis. When a VBA macro is added to a Microsoft Office document, it is stored in two sections: the PerformanceCache (compiled VBA code) and the CompressedSourceCode (compressed VBA source code). In VBA Purging, the PerformanceCache (compiled code) is completely removed from the module stream, along with associated streams like _SRP_, which contain version-dependent compiled code data. Additionally, the MODULEOFFSET is set to 0 to indicate there is no compiled code.

By eliminating the PerformanceCache and its related components, VBA Purging prevents static analysis tools, antivirus programs, and YARA rules from detecting suspicious strings typically found in compiled VBA macros. The document retains its compressed VBA source code, but the compiled code, which many detection tools rely on, is no longer present. As a result, macros can still run using the decompressed source code, but security systems are less likely to detect them.

This technique is particularly useful for attackers as it significantly reduces detection rates in environments like VirusTotal, where purged documents show a much lower detection rate compared to non-purged versions​​.


Technique Identifier

U0524


Detection Rules

Contributors

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.


Sleeping Alien

Subscribe to our Newsletter

Don't miss out on the latest and greatest updates from us! Subscribe to our newsletter and be the first to know about exciting content and future updates.