VBA Stomping - Advanced Malware Techniques

DerbyCon 8.0 - Evolution

Presented by: Harold Ogden, Carrie Roberts, Kirk Sayre
Date: Saturday October 06, 2018
Time: 09:00 - 09:50
Location: Kentucky E
Track: Track 3

There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we refer to as VBA stomping refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. In this talk we will demonstrate detailed examples of VBA stomping as well as introduce some additional techniques. Reverse engineering and defense tips will also be provided.

Carrie Roberts

Carrie is a developer turned Red Team. She became interested in Info Sec after doing PC, mobile and web app development. She obtained her Masters in Info Sec Engineering from the SANS Technology Institute in 2015 and holds 11 GIAC certifications including the GSE. She is currently a Senior Red Team Engineer at Walmart and loves to give back to the Info Sec community. Kirk Sayre is a member of the Dynamic Defense Engineering team at Walmart. One of Kirk's focuses at Walmart has been on the detection and analysis of malicious Office documents.

Kirk Sayre

Kirk is one of the primary maintainers of ViperMonkey (https://github.com/decalage2/ViperMonkey), a VBA macro emulator utility. Prior to working for the cybersecurity group at Walmart, Kirk Sayre performed cybersecurity research at Oak Ridge National Lab (ORNL). While at ORNL Kirk was one of the primary developers of a tool for automating the reverse engineering of malware. Kirk is the author of several patents based on this work. Outside of cybersecurity, Kirk has also worked on projects ranging from weapons control systems, medical devices, web applications, corporate software engineering training, and software design tools. Kirk’s educational background includes a PhD in Computer Science from the University of Tennessee where his research centered around using statistical methods to improve the testing of software.

Harold Ogden

Harold Ogden is a member of the Dynamic Defense Engineering team at the Walmart Security Operations Center. He researches malicious documents and observable system behaviors related to common adversary tactics. He writes rules for various file and traffic inspection products, and implements processes to monitor and triage suspected compromise at enterprise scale.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats