Cyberattacks relying on malicious Office documents have increasingly leveraged a relatively new technique called VBA Purging,
VBA purging involves the use of VBA source code only within Office documents, instead of the typically compiled code, and ensures better detection evasion.
Malicious Office documents have VBA code stored within streams of Compound File Binary Format (CFBF) files, with Microsoft’s specifications on VBA macros (MS-OVBA) storing VBA data in a hierarchy containing different types of streams.
The VBA code is stored in module streams, consisting of PerformanceCache and CompressedSourceCode
Office applications access the former if the code was compiled with an app matching their version and architecture, otherwise the “compressed source code is decompressed, compiled, and run instead,”
A previously discovered technique abusing module streams is VBA stomping, where compressed VBA code is removed from Office documents and replaced with non-malicious CompressedSourceCode. This, however, required for the attacker to know the exact Office versions running on the victims’ systems.
With VBA purging, the PerformanceCache data is removed instead, the MODULEOFFSET value is switched to 0, and SRP streams are removed, to ensure no runtime error is hit when the application does not find the compiled code in the module stream.
Because many anti-virus engines rely on specific strings usually stored in PerformanceCache, detection is hindered and attackers can employ more standard techniques to execute suspicious functions undetected.
The company has released OfficePurge, a new tool that supports VBA purging of Word (.doc), Excel (.xls), and Publisher (.pub) documents. They also released a YARA rule to search for modified documents.
The rule might also return false positives, given that there are public libraries that generate benign documents without the compiled VBA code, which resemble purged ones.
Using the newly developed detection techniques, the researchers discovered a multitude of documents leveraging VBA purging, created by a wide range of threat actors, some leveraging automation for document generation.
“For as long as companies use Office documents, attackers will be trying to smuggle malicious macros into them. VBA purging represents a recent example of how threat actors continually invent new ways to evade defenders,” .