1. Home
  2. Techniques
  3. Enterprise
  4. Hide Artifacts
  5. VBA Stomping

Hide Artifacts: VBA Stomping

ID Name
T1564.001 Hidden Files and Directories
T1564.002 Hidden Users
T1564.003 Hidden Window
T1564.004 NTFS File Attributes
T1564.005 Hidden File System
T1564.006 Run Virtual Instance
T1564.007 VBA Stomping
T1564.008 Email Hiding Rules
T1564.009 Resource Forking
T1564.010 Process Argument Spoofing
T1564.011 Ignore Process Interrupts
T1564.012 File/Path Exclusions
T1564.013 Bind Mounts
T1564.014 Extended Attributes

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.[1]

MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.[2][3]

An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.[4][1][5]

ID: T1564.007
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Rick Cole, Mandiant
Version: 1.2
Created: 17 September 2020
Last Modified: 24 October 2025
Version Permalink

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Turn off or restrict access to unneeded VB components.[6]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0012 Detection Strategy for VBA Stomping AN0034

Discrepancies between VBA source code and p-code inside Office documents. Defender perspective: anomalies in file metadata streams, execution of Office processes loading macros without source code consistency, and script execution with no corresponding source metadata.
AN0035

Execution of Wine or LibreOffice macros with inconsistent VBA metadata. Defender perspective: file analysis showing p-code embedded without matching source streams.
AN0036

Opening of Office files where VBA source code appears benign or missing, but p-code remains active. Defender perspective: process execution of Office apps with macro execution lacking visible source components.

References

  1. Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.
  2. Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.
  3. Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.
  1. Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping — Advanced Maldoc Techniques. Retrieved September 17, 2020.
  2. Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.
  3. Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020.