As other members of CERTs I noticed the revival of VBA malware these past years, especially used to drop ransomwares. To better understand and for the fun, I decided to give a try and create my own VBA malware.
I wanted to be sure to bypass Anti-Virus software and show why Office documents can be really dangerous!
In this paper I present offensive techniques which can be used to demonstrate how dangerous it is.
I Introduction.
6 months ago I didn’t have a clue on how MS Office VBA worked. In fact I did not even know that MS Office documents where just ZIP archive! As other members of CERTs I noticed the revival of VBA malware these past years, especially used to drop ransomwares.
To better understand and for the fun, I decided to give a try and create my own VBA malware, as well as dissecting existing ones.
Another reason I did it is I needed nice demonstrator to provide in my security awareness session. For that I wanted to be sure to bypass Anti-Virus software and show why Office documents can be really dangerous!
Note that if you are interested into Anti-virus bypass, I explained several techniques using C here
In this paper I am not going to explain VBA forensics, Office document dissection is already described in a lot of papers. I will instead present parts of offensive techniques which can be used in VBA to demonstrate how dangerous it is.
As Microsoft security wrote to me “If a user enables a malicious macro, then they have already
been compromised”, I want to be sure people know why...
If you wish to read more about this, the document can be downloaded in a PDF format