Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Threat Actors Increasingly Using VBA Purging in Attacks

Cyberattacks relying on malicious Office documents have increasingly leveraged a relatively new technique called VBA Purging, FireEye said over the weekend, when it also announced the availability of a related open source tool.

Cyberattacks relying on malicious Office documents have increasingly leveraged a relatively new technique called VBA Purging, FireEye said over the weekend, when it also announced the availability of a related open source tool.

Initially detailed in February 2020, VBA purging involves the use of VBA source code only within Office documents, instead of the typically compiled code, and ensures better detection evasion.

Malicious Office documents have VBA code stored within streams of Compound File Binary Format (CFBF) files, with Microsoft’s specifications on VBA macros (MS-OVBA) storing VBA data in a hierarchy containing different types of streams.

The VBA code is stored in module streams, consisting of PerformanceCache (P-code – compiled VBA code) and CompressedSourceCode (VBA source code compressed with a proprietary algorithm).

Office applications access the former if the code was compiled with an app matching their version and architecture, otherwise the “compressed source code is decompressed, compiled, and run instead,” FireEye explains.

A previously discovered technique abusing module streams is VBA stomping, where compressed VBA code is removed from Office documents and replaced with non-malicious CompressedSourceCode. This, however, required for the attacker to know the exact Office versions running on the victims’ systems.

With VBA purging, the PerformanceCache data is removed instead, the MODULEOFFSET value is switched to 0, and SRP streams are removed, to ensure no runtime error is hit when the application does not find the compiled code in the module stream.

Because many anti-virus engines rely on specific strings usually stored in PerformanceCache, detection is hindered and attackers can employ more standard techniques to execute suspicious functions undetected.

Advertisement. Scroll to continue reading.

FireEye submitted to VirusTotal a normal Office document carrying malicious VBA code and a counterpart to which VBA purging had been applied, and noticed that detection rates dropped 67%, which clearly shows the efficiency of the technique.

The company has released OfficePurge, a new tool that supports VBA purging of Word (.doc), Excel (.xls), and Publisher (.pub) documents. They also released a YARA rule to search for modified documents.

“Searching with this logic on VirusTotal reveals a large number of malicious documents, meaning this is very prevalent in the wild and in use by attackers. This rule should identify most publicly documented examples of VBA purging,” FireEye notes.

However, the rule might also return false positives, given that there are public libraries that generate benign documents without the compiled VBA code, which resemble purged ones.

Using the newly developed detection techniques, the researchers discovered a multitude of documents leveraging VBA purging, created by a wide range of threat actors, some leveraging automation for document generation.

“For as long as companies use Office documents, attackers will be trying to smuggle malicious macros into them. VBA purging represents a recent example of how threat actors continually invent new ways to evade defenders,” FireEye concludes.

Related: Researcher Details Sophisticated macOS Attack via Office Document Macros

Related: Microsoft Office for Mac Users Exposed to Macro-Based Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights