ViperMonkey is a Python project including a VBA macro parser, a VBA emulation engine and a set of tools for malicious macro analysis. I mentioned it several times since early 2015 [SSTIC, MISC], but it is only recently that it reached the point where it could be used in practice. Indeed, emulating VBA macros execution and all the features of MS Office, ActiveX objects and DLLs used by malicious macros is extremely complex. ViperMonkey is still very, very far from implementing all those features, and it is not yet able to handle most real-life macros. However, in some cases it can be a great help to deobfuscate macros automatically for malware analysis. I decided to release it publicly on GitHub, so that malware analysts can start using it, and contribute to its development.
↧