Original Work
by Dr. Vesselin Bontchev (@VessOnSecurity)
Pcodedmp tool
Walmart Blog Posts
by Harold Ogden (@haroldogden), Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)
MS Office File Formats - Advanced Malicious Document (Maldoc) Techniques
Evasive VBA - Advanced Maldoc Techniques
VBA Stomping – Advanced Maldoc Techniques
VBA Project Locked; Project is Unviewable
DerbyCon 2018 Presentation
by Harold Ogden (@haroldogden), Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)
VBA Stomping: Advanced Malicious Document Techniques
Slides
Video of Presentation
Troopers 2019 Presentation:
by Stan Hegt (@StanHacked) and Pieter Ceelen (@ptrpieter)
MS Office File Format Sorcery
Slides
Video of Presentation
Sp4rkcon 2019 Presentation
by Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)
Advanced Malware VBA Stomping: What's New in 2019
Slides
Video of Presentation
Black Hat Europe 2019 Presentation
by Philippe Lagadec (@decalage2)
Advanced VBA Macros Attack & Defence
Slides
ISC Blogs
by Didier Stevens (@DidierStevens)
Malicious VBA Office Document Without Source Code
VBA and P-code
FireEye Blog Posts
STOMP 2 DIS: Brilliance in the (Visual) Basics
by Rick Cole, Andrew Moore, Genevieve Stark, Blaine Stancill
Tools to Create VBA Stomped Documents
EvilClippy
by Stan Hegt (@StanHacked)
see
here
for prebuilt executables
Adaptive Document Builder
by Harold Ogden (@haroldogden) and Kirk Sayre (@bigmacjpg)
VBA Stomp Detection
Yara Rule to Detect Unusual Zip Header
by Carrie Roberts (@OrOneEqualsOne)
VBASeismograph: Script to Detect VBA <-> P-code Mismatch
by Kirk Sayre (@bigmacjpg)
olevba
by Philippe Lagadec (@decalage2)
VBA Reverse Engineering Tools
pcode2code.py - A VBA p-code decompiler
by Zilio Nicolas (@Big5_sec)
Pcodedmp tool
by Dr. Vesselin Bontchev (@VessOnSecurity)
olevba
by Philippe Lagadec (@decalage2)
VBA Stomped Examples (benign - safe for experimentation/testing)
VBA Stomp Example Documents Repo
by Carrie Roberts (@OrOneEqualsOne)
VBA Stomped Files from VirusTotal (malicious)
23f7817eae61fda0a25292c4fd4f8d7e07150c657274c912776548c59e6c71f3
385966f3d6be7b234a790e2dfa2573f1ab1bc72e78bce73bb479a11a54784c73
6eaf0553ee112f89aca2a621ed47d4895d5f096042264479f40a19dbf599e519
89208f961956bbbd2a8e5a87e0fec80f7653438f60cbca2dabfb621a726a566a
(this one appears to have been cleaned by Qihoo 360 Anti-Virus resulting in orphaned streams)
List of Additional VBA Stomped file hashes from VirusTotal
by John Lambert (@JohnLaTwC)
* VBA Stomp graphic courtesy of Tim MalcomVetter (@malcomvetter)