VBE: Encoded VBS Script

Published: 2016-03-29. Last Updated: 2016-03-29 19:15:45 UTC
by Didier Stevens (Version: 1)
1 comment(s)

A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:

The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.

You can find decode-vbe.py here.

And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.

You can find my YARA rule here.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

Keywords: maldoc VBE
1 comment(s)

Comments

You are a SAINT, Mr. Stevens!
These days I had a lot of phishing messages with .VBE attachments to handle, but no portable tool to decode them!
Since I am a seasoned Linux user, I think it's a shame to use Windoze to analyze them.
Thank you very much,
Marlon.

Anonymous

Mar 30th 2016
9 years ago

Login here to join the discussion.


Top of page
Diary Archives