Hello, welcome to the Tuesday, July 14th, 2020 edition of the Sand Center Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today we've got a couple of neat insights into Visual Basic for Application Code and

obfuscation techniques to make it more difficult to, for example,

detect macros or even just the presence of macros.

Diddy took a look at one particular Excel spreadsheet that Brad discussed a couple of days

ago.

And remember how I said that it's sort of surprising how these

type of Excel spreadsheets still make it to the user. Well, a couple of these techniques

could potentially explain why some users are still receiving them. First of all, it looks like

this particular document was perched.

Now, perching means removing the performance cache from the Visual Basic for Applications

Code.

Typically, you have sort of two parts.

You have the performance cache, which essentially is sort of a compiled version of the

code, and then you have to compress source code.

And of course, as the name implies, the performance cache is supposed to make the macro run faster,

which of course isn't necessarily a big problem for an attacker, so they just remove that part of the VBA code.

DDA believes that this particular spreadsheet was created with a library called EP Plus,

which is a C-sharp library that can be used to create Excel spreadsheets.

Secondly, turned out that the code was actually password protected.

However, password protecting Visual Basic for Application spreadsheet doesn't really do much.

...