VBA Stomping - Advanced Malware Techniques

Presented at DerbyCon 8.0 Evolution (2018), Oct. 6, 2018, 9 a.m. (50 minutes).

There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we refer to as VBA stomping refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. In this talk we will demonstrate detailed examples of VBA stomping as well as introduce some additional techniques. Reverse engineering and defense tips will also be provided.


Presenters:

Links:

Similar Presentations: