My VBA Bot
Writing Office Macro FUD encoder and other stuff

As other members of CERTs I noticed the revival of VBA malware these past years, especially used to drop ransomwares. To better understand and for the fun, I decided to give a try and create my own VBA malware.
I wanted to be sure to bypass Anti-Virus software and show why Office documents can be really dangerous!
In this paper I present offensive techniques which can be used to demonstrate how dangerous it is.

Article published on 11 July 2016

by Emeric Nasi

Note: Malware mechanisms notions and programming knowledge are required to fully understand this paper..

I Introduction.

6 months ago I didn’t have a clue on how MS Office VBA worked. In fact I did not even know that MS Office documents where just ZIP archive! As other members of CERTs I noticed the revival of VBA malware these past years, especially used to drop ransomwares.
To better understand and for the fun, I decided to give a try and create my own VBA malware, as well as dissecting existing ones.
Another reason I did it is I needed nice demonstrator to provide in my security awareness session. For that I wanted to be sure to bypass Anti-Virus software and show why Office documents can be really dangerous!

Note that if you are interested into Anti-virus bypass, I explained several techniques using C here

In this paper I am not going to explain VBA forensics, Office document dissection is already described in a lot of papers. I will instead present parts of offensive techniques which can be used in VBA to demonstrate how dangerous it is.

As Microsoft security wrote to me “If a user enables a malicious macro, then they have already
been compromised”, I want to be sure people know why...

If you wish to read more about this, the document can be downloaded in a PDF format