Didier Stevens

Monday 22 June 2020

VBA Purging

Filed under: maldoc — Didier Stevens @ 0:00

VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).

VBA stomping consist in altering or suppressing CompressedSourceCode and leaving the PerformanceCache unchanged:

As you can imagine, it must also be possible to change the PerformanceCache and leaving CompressedSourceCode unchanged:

Suppressing the PerformanceCache is a technique that I call VBA Purging:

More details can be found in a blog post I wrote here.


  1. If a word document with macros were automatically generated with C# Word Interop, would it still have PerformanceCache?

    Comment by Holden — Sunday 28 June 2020 @ 17:46

  2. Interesting question. If it gets executed, I’m sure it will contain PerformanceCache. If not, I’m guessing it won’t. Test it out and let us know!

    Comment by Didier Stevens — Monday 29 June 2020 @ 18:41

  3. I tried it. There was still PerformanceCache but kind of hard to know how much useful information it has compared to doing it manually. Nonetheless, it can still be purged.

    Comment by Holden — Tuesday 30 June 2020 @ 15:01

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.