ViperMonkey, VBA parser and emulation engine to analyze malicious macros
An experimental but useful project
ViperMonkey is a toolkit written in Python by Philippe Lagadec, developed to parse VBA macros and emulate their execution.
ViperMonkey acts as a VBA Emulation engine, and tries to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
Is an experimental project, as says the disclaimer:
- ViperMonkey is a very incomplete and experimental VBA Engine. For now it will NOT handle most real-life macros without errors.
- VBA parsing and emulation is extremely slow for now.
- VBA Emulation is hard and complex, because of all the features of the VBA language, of Microsoft Office applications, and all the DLLs and ActiveX objects that can be called from VBA.
- This open-source project is only developed on my scarce spare time, so do not expect miracles. Any help from you will be very appreciated!
Installation
- Download the archive from the repository: https://github.com/decalage2/ViperMonkey/archive/master.zip and extract it.
- (Linux/Mac) Install dependencies by running
sudo -H pip install -U -r requirements.txt
- (Windows) Install dependencies by running
pip install -U -r requirements.txt
- Run ViberMonkey with
python vmonkey.py <file>
For more information and usage examples, refer to this article on Delage.Info:
[embed]http://decalage.info/vba_emulation[/embed]
Links
[embed]http://decalage.info/vba_emulation[/embed]
[embed]http://decalage.info/vba_emulation[/embed]