Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - VBA Office Document: Which Version? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VBA Office Document: Which Version?

Published: 2019-05-01
Last Updated: 2019-05-01 20:37:14 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In some cases, like malicious Word documents without VBA source code, you want to know which version of Office was used to create the VBA macros. Because compiled macros (VBA) don't run on all versions.

This information can be found inside the _VBA_PROJECT stream:

The 3rd and 4th bytes in this stream are a little endian word, whose value indicates the version of Office that was used to create the VBA code. This is all documented by Microsoft, except for the field values themselves.

Here is a list I compiled for different Office versions (Windows):

Office Version 32-bit 64-bit
95 0x0004 N/A
XP 0x0073 N/A
2003 0x0079 N/A
2007 0x0085 N/A
2010 0x0097 0x0097
2013 0x00A3 0x00A6
2016 0x00AF 0x00B2
2019 0x00AF 0x00B2

 

 

 

 

 

 

 

 

 

If you have other info for other versions, please post a comment or submit a sample.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc vba
0 comment(s)
Diary Archives