• Original Work by Dr. Vesselin Bontchev (@VessOnSecurity)
  • Pcodedmp tool

  • Walmart Blog Posts by Harold Ogden (@haroldogden), Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)
  • MS Office File Formats - Advanced Malicious Document (Maldoc) Techniques
  • Evasive VBA - Advanced Maldoc Techniques
  • VBA Stomping – Advanced Maldoc Techniques
  • VBA Project Locked; Project is Unviewable

  • DerbyCon 2018 Presentation by Harold Ogden (@haroldogden), Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)
  • VBA Stomping: Advanced Malicious Document TechniquesSlides
  • Video of Presentation

  • Troopers 2019 Presentation: by Stan Hegt (@StanHacked) and Pieter Ceelen (@ptrpieter)
  • MS Office File Format Sorcery Slides
  • Video of Presentation

  • Sp4rkcon 2019 Presentation by Kirk Sayre (@bigmacjpg) and Carrie Roberts (@OrOneEqualsOne)
  • Advanced Malware VBA Stomping: What's New in 2019 Slides
  • Video of Presentation

  • Black Hat Europe 2019 Presentation by Philippe Lagadec (@decalage2)
  • Advanced VBA Macros Attack & Defence Slides

  • ISC Blogs by Didier Stevens (@DidierStevens)
  • Malicious VBA Office Document Without Source Code
  • VBA and P-code

  • FireEye Blog Posts
  • STOMP 2 DIS: Brilliance in the (Visual) Basics by Rick Cole, Andrew Moore, Genevieve Stark, Blaine Stancill

  • Tools to Create VBA Stomped Documents
  • EvilClippy by Stan Hegt (@StanHacked) see here for prebuilt executables
  • Adaptive Document Builder by Harold Ogden (@haroldogden) and Kirk Sayre (@bigmacjpg)

  • VBA Stomp Detection
  • Yara Rule to Detect Unusual Zip Header by Carrie Roberts (@OrOneEqualsOne)
  • VBASeismograph: Script to Detect VBA <-> P-code Mismatch by Kirk Sayre (@bigmacjpg)
  • olevba by Philippe Lagadec (@decalage2)

  • VBA Reverse Engineering Tools
  • pcode2code.py - A VBA p-code decompiler by Zilio Nicolas (@Big5_sec)
  • Pcodedmp tool by Dr. Vesselin Bontchev (@VessOnSecurity)
  • olevba by Philippe Lagadec (@decalage2)

  • VBA Stomped Examples (benign - safe for experimentation/testing)
  • VBA Stomp Example Documents Repo by Carrie Roberts (@OrOneEqualsOne)

  • VBA Stomped Files from VirusTotal (malicious)
  • 23f7817eae61fda0a25292c4fd4f8d7e07150c657274c912776548c59e6c71f3
  • 385966f3d6be7b234a790e2dfa2573f1ab1bc72e78bce73bb479a11a54784c73
  • 6eaf0553ee112f89aca2a621ed47d4895d5f096042264479f40a19dbf599e519
  • 89208f961956bbbd2a8e5a87e0fec80f7653438f60cbca2dabfb621a726a566a (this one appears to have been cleaned by Qihoo 360 Anti-Virus resulting in orphaned streams)
  • List of Additional VBA Stomped file hashes from VirusTotal by John Lambert (@JohnLaTwC)

    • * VBA Stomp graphic courtesy of Tim MalcomVetter (@malcomvetter)