VBE: Encoded VBS Script

A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:

The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.

You can find decode-vbe.py here.

And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.

You can find my YARA rule here.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.


677 Posts
ISC Handler
Mar 29th 2016
You are a SAINT, Mr. Stevens!
These days I had a lot of phishing messages with .VBE attachments to handle, but no portable tool to decode them!
Since I am a seasoned Linux user, I think it's a shame to use Windoze to analyze them.
Thank you very much,

Sign Up for Free or Log In to start participating in the conversation!