There are many malicious techniques on the network and we know it but… today we come to see a technique called VBA stomping which generates malicious documents also known as “maldoc” which consists of removing or modifying the source code of a Microsoft Office document leaving only a compiled version of the macros called p-code. In this way, an attacker will be able to bypass maldocs detection based on source code analysis.
We already know that email with attachments is one of the most popular entry routes for malware, specifically office-type attachments. This is possible, to a large extent, thanks to the ability to program code in the macros of office documents. The reasons why this technique continues to work two decades after it began to be used are diverse:
▸Macros are easy to hide.
▸The macros are legitimate. Even disabled by default, it is easy for the user to enable them.
▸They are sent by email, so they are usually only analyzed statically since it is the easiest method to deceive users.
▸It remains a very lucrative avenue for cyber attackers.
One of the biggest problems with this is that antiviruses have relied on this source code even to classify samples. But it occurred to someone that the document could still infect if the compiled code was kept but the source code was deleted. So it was. This technique for erasing the source code is VBA stomping, and it allows malware to go unnoticed with little impact on its ability to infect, but not everything is bad, although this problem is very misleading, the first thing to do is to have judgment, since we know that for a malware to enter our system, contact with the user is necessary so do not fall down and apply safety margins to avoid these deceptions although it is always good to have tools that help us against threats of this type and others.
See also:
JSSLoader – A Threat That Comes Back Improved
AHK, the new malicious RAT distribution campaign
