|
A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:
The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.
You can find decode-vbe.py here. And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.
You can find my YARA rule here. Didier Stevens |
DidierStevens 638 Posts ISC Handler Mar 29th 2016 |
| Thread locked Subscribe |
Mar 29th 2016 6 years ago |
|
You are a SAINT, Mr. Stevens!
These days I had a lot of phishing messages with .VBE attachments to handle, but no portable tool to decode them! Since I am a seasoned Linux user, I think it's a shame to use Windoze to analyze them. Thank you very much, Marlon. |
Anonymous |
| Quote |
Mar 30th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
