State of the Hack

State of the Hack discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.

RSS 0 0

S4E02: Weaponizing Office Documents with VBA Purging

Updated about 11 days ago.

Malicious Office document’s module streams that contain source code, but no P-code are more likely to evade YARA rules and AV detection. This evasion technique is called VBA purging; which is different than the observed VBA stomping technique. In this episode we will discuss what VBA purging is, the difference between purging and stomping, the consequences of this technique, and a new tool created by Mandiant’s Red Team called OfficePurge.