VBA Stomping

VBA Stomping refers to destroying the VBA source code in an office document, leaving only the compiled/p-code of the document.

As long as the p-code is compatible with the current VBA version on the system, it will get executed. The p-code is n, what gets displayed in the macro editor, is not the decompressed VBA source, but the decompiled p-code.

We can do this with EvilClippy like so:

EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc

VBA Stomping — Advanced Maldoc TechniquesMedium

GitHub - outflanknl/EvilClippy: A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.GitHub