-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
85 lines (83 loc) · 7.71 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<!doctype html>
<html lang='en'>
<head>
<title> VBA Stomp </title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<link rel="stylesheet" href="styles.css">
<base rel="noopener noreferrer" target="_blank">
</head>
<body class="bg-dark">
<div class="bg-dark container">
<div class="bg-dark jumbotron jumbotron-fluid">
<div class="container-fluid">
<img id="logo" class="img-fluid" src="logo.png">
<div class="img-fluid" id="linksDiv">
<ul >
<li>Original Work<span id="by"> by Dr. Vesselin Bontchev (@VessOnSecurity)</span></li>
<li id="links"><a href="https://github.com/bontchev/pcodedmp">Pcodedmp tool</a></li>
</br>
<li>Walmart Blog Posts<span id="by"> by Harold Ogden (@haroldogden), Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)</span></li>
<li id="links"><a href="https://medium.com/walmartlabs/ms-office-file-formats-advanced-malicious-document-maldoc-techniques-b5f948950fdf">MS Office File Formats - Advanced Malicious Document (Maldoc) Techniques</a></li>
<li id="links"><a href="https://medium.com/walmartlabs/evasive-vba-advanced-maldoc-techniques-1365e9373f80">Evasive VBA - Advanced Maldoc Techniques</a></li>
<li id="links"><a href="https://medium.com/walmartlabs/vba-stomping-advanced-maldoc-techniques-612c484ab278">VBA Stomping – Advanced Maldoc Techniques</a></li>
<li id="links"><a href="https://medium.com/walmartlabs/vba-project-locked-project-is-unviewable-4d6a0b2e7cac">VBA Project Locked; Project is Unviewable</a></li>
</br>
<li><a>DerbyCon 2018 Presentation</a><span id="by"> by Harold Ogden (@haroldogden), Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)</span></li>
<li id="links">VBA Stomping: Advanced Malicious Document Techniques<a href="https://github.com/clr2of8/Presentations/blob/master/DerbyCon2018-VBAstomp-Final-WalmartRedact.pdf">Slides</a></li>
<li id="links"><a href="http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-06-vba-stomping-advanced-malware-techniques-carrie-roberts-kirk-sayre-harold-ogden-">Video of Presentation</a></li>
</br>
<li><a>Troopers 2019 Presentation: </a> <span id="by"> by Stan Hegt (@StanHacked) and Pieter Ceelen (@ptrpieter)</span></li>
<li id="links">MS Office File Format Sorcery <a href="https://github.com/outflanknl/Presentations/blob/master/Troopers19_MS_Office_file_format_sorcery.pdf">Slides</a></li>
<li id="links"><a href="https://www.youtube.com/watch?v=iXvvQ5XML7g">Video of Presentation</a></li>
</br>
<li><a>Sp4rkcon 2019 Presentation</a><span id="by"> by Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)</span></li>
<li id="links">Advanced Malware VBA Stomping: What's New in 2019 <a href="https://github.com/clr2of8/Presentations/blob/master/Sp4rkCon2019-VBAstomp.pdf">Slides</a></li>
<li id="links"><a href="https://www.youtube.com/watch?v=9hIWYtyO-eM">Video of Presentation</a></li>
</br>
<li><a>Black Hat Europe 2019 Presentation</a><span id="by"> by Philippe Lagadec (@decalage2)</span></li>
<li id="links">Advanced VBA Macros Attack & Defence <a href="https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf">Slides</a></li>
</br>
<li><a>ISC Blogs</a><span id="by"> by Didier Stevens (@DidierStevens)</span></li>
<li id="links"><a href="https://isc.sans.edu/diary/Malicious+VBA+Office+Document+Without+Source+Code/24870">Malicious VBA Office Document Without Source Code</a></li>
<li id="links"><a href="https://isc.sans.edu/forums/diary/VBA+and+Pcode/21521/">VBA and P-code</a></li>
</br>
<li><a>FireEye Blog Posts</a></li>
<li id="links"><a href="https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html">STOMP 2 DIS: Brilliance in the (Visual) Basics</a><span id="by"> by Rick Cole, Andrew Moore, Genevieve Stark, Blaine Stancill</span></li>
</br>
<li><a>Tools to Create VBA Stomped Documents</a></li>
<li id="links"><a href="https://github.com/outflanknl/EvilClippy">EvilClippy</a><span id="by"> by Stan Hegt (@StanHacked)</span> see <a href="https://github.com/outflanknl/EvilClippy/releases">here</a> for prebuilt executables</li>
<li id="links"><a href="https://github.com/haroldogden/adb">Adaptive Document Builder</a><span id="by"> by Harold Ogden (@haroldogden) and Kirk Sayre (@bigmacjpg)</span></li>
</br>
<li>VBA Stomp Detection</li>
<li id="links"><a href="https://github.com/clr2of8/YaraRules/blob/master/unusual_office_zip_header">Yara Rule to Detect Unusual Zip Header</a><span id="by"> by Carrie Roberts (@OrOneEqualsOne)</span></li>
<li id="links"><a href="https://github.com/kirk-sayre-work/VBASeismograph">VBASeismograph: Script to Detect VBA <-> P-code Mismatch</a><span id="by"> by Kirk Sayre (@bigmacjpg)</span></li>
<li id="links"><a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a><span id="by"> by Philippe Lagadec (@decalage2)</span></li>
</br>
<li>VBA Reverse Engineering Tools</li>
<li id="links"><a href="https://github.com/Big5-sec/pcode2code">pcode2code.py - A VBA p-code decompiler</a><span id="by"> by Zilio Nicolas (@Big5_sec)</span></li>
<li id="links"><a href="https://github.com/bontchev/pcodedmp">Pcodedmp tool</a><span id="by"> by Dr. Vesselin Bontchev (@VessOnSecurity)</span></li>
<li id="links"><a href="https://github.com/decalage2/oletools/wiki/olevba">olevba</a><span id="by"> by Philippe Lagadec (@decalage2)</span></li>
</br>
<li>VBA Stomped Examples (benign - safe for experimentation/testing)</li>
<li id="links"><a href="https://github.com/clr2of8/VBAstomp">VBA Stomp Example Documents Repo </a><span id="by">by Carrie Roberts (@OrOneEqualsOne)</span></li>
</br>
<li>VBA Stomped Files from VirusTotal (malicious)</li>
<li id="links"><a href="https://www.virustotal.com/gui/file/23f7817eae61fda0a25292c4fd4f8d7e07150c657274c912776548c59e6c71f3/details">23f7817eae61fda0a25292c4fd4f8d7e07150c657274c912776548c59e6c71f3</a></li>
<li id="links"><a href="https://www.virustotal.com/gui/file/385966f3d6be7b234a790e2dfa2573f1ab1bc72e78bce73bb479a11a54784c73/details">385966f3d6be7b234a790e2dfa2573f1ab1bc72e78bce73bb479a11a54784c73</a></li>
<li id="links"><a href="https://www.virustotal.com/gui/file/6eaf0553ee112f89aca2a621ed47d4895d5f096042264479f40a19dbf599e519/details">6eaf0553ee112f89aca2a621ed47d4895d5f096042264479f40a19dbf599e519</a></li>
<li id="links"><a href="https://www.virustotal.com/gui/file/89208f961956bbbd2a8e5a87e0fec80f7653438f60cbca2dabfb621a726a566a/detection">89208f961956bbbd2a8e5a87e0fec80f7653438f60cbca2dabfb621a726a566a</a> (this one appears to have been cleaned by Qihoo 360 Anti-Virus resulting in orphaned streams)</li>
<li id="links"><a href="https://gist.github.com/JohnLaTwC/987a4758ad72b93721a6fdeff9f4e717">List of Additional VBA Stomped file hashes from VirusTotal</a><span id="by"> by John Lambert (@JohnLaTwC)</span></li>
</br>
<li>VBA Purging</li>
<li id="links"><a href="https://blog.nviso.eu/2020/02/25/evidence-of-vba-purging-found-in-malicious-documents/">Evidence of VBA Purging Found in Malicious Documents</a><span id="by"> by Didier Stevens (@DidierStevens)</span></li>
</br>
<span id="graphic">* VBA Stomp graphic courtesy of Tim MalcomVetter (@malcomvetter)</span>
</ul>
</div>
</div>
</div>
</div>
</body>
</html>