Didier Stevens

Tuesday 7 July 2020

Tampering With Digitally Signed VBA Projects

Filed under: maldoc — Didier Stevens @ 0:00

As I explained in blog post VBA Purging, VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).

If you alter the compiled code (PerformanceCache) properly and leave the source code (CompressedSourceCode) of a signed VBA project untouched, you can change the behavior of a signed document without invalidating the signature. That’s because the code signing algorithm for VBA projects does not take the PerformanceCache into account.

Details in my NVISO blog post: Tampering with Digitally Signed VBA Projects

 

1 Comment »

  1. […] Tampering With Digitally Signed VBA Projects […]

    Pingback by Week 28 – 2020 – This Week In 4n6 — Sunday 12 July 2020 @ 12:59


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.