A file with with extension .vbe is an encoded Visual Basic Script file. I've seen them recently used in malicious documents, like this one:
The script is encoded, you can not make much sense of it. You will need to use a tool (like this one) to decode it to .vbs, so that it becomes readable. Unfortunately, the tools I found to decode .vbe files were Windows based. So I decided to make a Python tool to decode .vbe files.
You can find decode-vbe.py here.
And I also have a YARA rule to detect VBE scripts, for example embedded in malicious office documents.
You can find my YARA rule here.
Mar 29th 2016
4 years ago
You are a SAINT, Mr. Stevens!
These days I had a lot of phishing messages with .VBE attachments to handle, but no portable tool to decode them!
Since I am a seasoned Linux user, I think it's a shame to use Windoze to analyze them.
Thank you very much,
Mar 30th 2016
3 years ago