2017-03-20

VBA Obfuscation and Macro Obfuscation


Visual Basic Obfuscation via Line Continuation

Be careful while writing YARA signatures for Microsoft Office Macros. A simple technique used to bypass detection of “sub document_open()” for instance is to break it up with the VBA line continuation character “_” (underscore).

We’ve seen this break a few office malware signatures… so you may wish to check your vendor.

If your vendor is only looking for "document_open" or the equivalent VBA of auto-open then you will be ok. However, if vendor is looking for the surrounding parentheses or preceding "sub" then you may want to double check.

Below are three examples:

**split among 3 lines

**split among several lines

**VirtualProtect (commonly used when executing shellcode) being imported from Kernel32 split among several lines












# Yara Rule
rule VBALineContinuationObfuscation
{
   meta:
   Author = "@acalarch, @neu5ron"
   Description = "Identifies potential VBA Obfuscation via empty line continuation, must provide yara an uncompressed vba project”
   strings:
      $a = {20 5F 0D 0A 20 5F 0D 0A}
   condition:
      $a

}


Contributions:
Adam Swan / @acalarch
Nate Guagenti / @neu5ron

No comments:

Post a Comment