Malicious Office document’s module streams that contain source code,but no P-code are more likely to evade YARA rules and AV detection.This evasion technique is called VBA purging; which is different thanthe observed VBA stomping technique. In this episode we will discusswhat VBA purging is, the difference between purging and stomping, theconsequences of this technique, and a new tool created by Mandiant’sRed Team called OfficePurge.

State of the Hack

S4E02: Weaponizing Office Documents with VBA Purging

State of the Hack is hosted by FireEye's Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.

About

State of the Hack