Some VBA notes
- Unix(Remnux): viper.li, oletools, & Didier's tools
- Windows: Office Excel (VBE) & Visual Studio Community (VSC), officemalscanner
- Editors: scite, VS Code
- d-scan
- Vba2Graph
- ViperMonkey
- doc_extractor
- viper.li for sample management
- olevba or officemalscanner for triage
- oledump for analysis extraction
There's a feature-packed Visual Basic Applications development environment in Office products. Excel is a good choice. You can enable it in Options and then get in the Office ribbon: Enable Developer Tab on Ribbon (MSDN)
VBE has good syntax highlighting, inspection, and debugging. It's great for running isolated bits of code after they are defanged, but doesn't currently offer a way to load to a pause (break) as does OllyDbg or web debuggers (with the 'debug;' trick).
All current versions of Office have this support, including apparently Office Mac 2016(!). MS Office is commercial software available via retail, O365 SaaS, and enterprise licensing.
Visual Studio IDE has full support for developing complex applications in VB and this extends to syntax support for VBA. VSC debugger is full featured, better in every way than the VBE and incapable of opening Office documents directly.
The Community edition of VS is now generally available for free use with online registration required, though VS is commerical software.
Visual Studio Code is a programmer's editor and is released as free software available from MS online for major platforms.
Code has native support for Visual Basic (from the VS products) that provide syntax checking and highlighting for VBA.
https://code.visualstudio.com/
Standard Linux and available programming editors are good at text manipulations useful for code analysis. Remnux ships Scite, vim, and others.
A combination of static and dynamic analysis has been effective against macro malcode samples seen recently:
- Triage DOC/RTF for macros presence (viper,olevba,officemalscanner)
- Extract VBA code; Minimal static cleanup (oledump, scite)
$ olevba file.doc
- Isolate string encode/decode routines & encoded strings (scite, grep)
- Careful execution of decoding code in Excel against strings => network indicators (Excel)
- Further code reversing in VBE or VSC for other features, such as file decryption. (scite, Excel)