Didier Stevens

Monday 18 April 2016

Update: decode-vbe.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 8:48

I added support for ZIP files to decode-vbe.py

Here is the man page:

Usage: decode-vbe.py [options] [file]
Decode VBE script

–version   show program’s version number and exit
-h, –help  show this help message and exit
-m, –man   Print manual


This program reads from the given file or standard input, and converts the encoded VBE script to VBS.

The provided file can be a password protected ZIP file (with password infected) containing the VBE script.

The content of the VBE script can also be passed as a literal argument. This is similar to a Here Document in Unix.
Start the argument (the “filename”) with character # to pass a literal argument.
Example: decode-vbe.py “##@~^DgAAAA==\ko$K6,JCV^GJqAQAAA==^#~@”
Result: MsgBox “Hello”

It’s also possible to use hexadecimal (prefix #h#) or base64 (prefix #b#) to pass a literal argument.
Example: decode-vbe.py #h#23407E5E4467414141413D3D5C6B6F244B362C4A437F565E474A7141514141413D3D5E237E40
Result: MsgBox “Hello”
Example: decode-vbe.py #b#I0B+XkRnQUFBQT09XGtvJEs2LEpDf1ZeR0pxQVFBQUE9PV4jfkA=
Result: MsgBox “Hello”

decode-vbe_V0_0_2.zip (https)
MD5: 35612087E2D62669E2690573FDE543F2
SHA256: 91A7465FE1F4D291751E6C5D88C51888C914B40C6F187709E33343FF121A116F


  1. Can you have a look at one file that has me wondering if it actually did something to my systems? it appears to be obfuscated somehow, and i cannot grasp the beggining of it to see what it actually does, or maybe im just paranoid, if i can send you the file, let me know how to get it to you, or the code i got from running your tool with things such as:

    “Public Function oKrwsndtBM(ParamArray hkjPqXbqyLNQse() As Variant) As Variant
    oKrwsndtBM = hkjPqXbqyLNQse
    End Function
    Private Function uIDnKdpqJ() As Long
    uIDnKdpqJ = 200
    End Function
    Public Sub TKqLix(ByVal NZXTlxukjyN As Variant, ByVal HRQXPbXLNkpbi As Variant, ByVal buRqtDvaxLp As Variant, ByVal KDTbJMqahNBRZ As Variant)
    CallByName NZXTlxukjyN, HRQXPbXLNkpbi, 1, buRqtDvaxLp, KDTbJMqahNBRZ
    End Sub
    Public Sub dVvDxBOLjIg()
    Dim hkupYumi As Variant
    Dim WeQycA As String
    Dim VjErhO As Variant, jGmHPbs As Integer
    On Error GoTo umFLtBdyo
    Set hkupYumi = ThisDocum …..

    Comment by Gery — Wednesday 20 April 2016 @ 23:04

  2. if it’s on VT, just give me the md5 hash

    Comment by Didier Stevens — Thursday 21 April 2016 @ 20:56

  3. […] Didier Stevens updated his decode-vbe python script to version 0.0.2 adding support for zip files. Update: decode-vbe.py Version 0.0.2 […]

    Pingback by Week 16 – 2016 – Thisweekin4n6 — Sunday 24 April 2016 @ 11:01

  4. […] Update: decode-vbe.py Version 0.0.2 […]

    Pingback by Overview of Content Published In April | Didier Stevens — Monday 9 May 2016 @ 0:01

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: