Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: VBE: Encoded VBS Script - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VBE: Encoded VBS Script

A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:

The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.

You can find decode-vbe.py here.

And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.

You can find my YARA rule here.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

DidierStevens

364 Posts
ISC Handler
You are a SAINT, Mr. Stevens!
These days I had a lot of phishing messages with .VBE attachments to handle, but no portable tool to decode them!
Since I am a seasoned Linux user, I think it's a shame to use Windoze to analyze them.
Thank you very much,
Marlon.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!