Deep CDR prevents Advanced Maldoc Techniques - VBA Stomping

Macros remain the most popular vector for malware and payload delivery. In fact, malware authors are switching to attack methodologies that leverage MS Office and script-based threats. There was a significant increase in script-based detections (73.55%) and Office based macro detections (30.43%) according to the Malware Threat Report: Q2 2020 Statistics and Trends by Avira Protection Labs.­⁽¹⁾ Various techniques are used by threat actors to hide malicious macros, such as evasive VBA and VBA project locked which renders the macro code ‘unviewable’. These threats can be neutralized by OPSWAT Deep Content Disarm and Reconstruction (Deep CDR) technology. Deep CDR efficacy is described in our previous blog post. In this blog, we will show how OPSWAT Deep CDR prevents another advanced malware evasion technique called VBA Stomping.

VBA stomping was illustrated by Dr. Vesselin Bontchev in his VBA p-code disassembler introduction. The problem is that VBA stomping destroys the original VBA source code embedded in an Office file and compiles it into a p-code (a pseudo code for a stack machine), which can be executed to deliver malware. In this instance, malware document (maldoc) detection based on the VBA source code is bypassed and the malicious payload is delivered successfully. Here is a detailed example of VBA stomping.

Using VBA stomping technique, the original macro script is altered to show a simple message. This prevents anti-malware programs from detecting the suspicious active content in the file. However, the macro is still executable (via the p-code) and requests to execute the command line.

OPSWAT Deep CDR protects you from all malicious content hidden in files. It removes both macro source code and p-code within documents. Our advanced threat prevention technology does not rely on detection. It assumes all files entering your network are suspicious and sanitizes and reconstructs every file with only its legitimate components. Regardless of how the active content (macro, form field, hyperlink, etc.) is concealed in a document, it is removed before the file is sent to users. Watch the demo video below to understand how Deep CDR is effective in the VBA Stomping scenario.

OPSWAT Deep CDR ensures every file entering your organization is rendered harmless. This helps prevent zero-day attacks and stops evasive malware from entering your organization. Our solution supports sanitization for over 100 common file types, including PDF, Microsoft Office files, HTML, image files, and many regional-specific formats such as JTD and HWP.

Contact us to understand more about OPSWAT’s advanced technologies and to protect your organization from increasingly sophisticated attacks.

Reference:

(1) "Malware Threat Report: Q2 2020 Statistics And Trends | Avira Blog". 2020. Avira Blog. https://www.avira.com/en/blog/malware-threat-report-q2-2020-statistics-and-trends.