MacroRaptor – Tool to Scan for Malicious VBA Macros

MacroRaptor is a tool designed to detect most malicious VBA Macros using generic heuristics. Unlike antivirus engines, it does not rely on signatures.

VBA macros in MS Office files have been used since 1995 to deliver malware, One of the famous macro virus was Melissa that appeared in March 1999. The virus infected at least one hundred thousand computers around the world at that time, affected the work of hundreds of companies, causing damage to the economy with about 80 million USD in the United States.

MacroRaptor - Tool to Scan for Malicious VBA Macros
MacroRaptor – Tool to Scan for Malicious VBA Macros

In a nutshell, MacroRaptor detects keywords corresponding to the three following types of behavior that are present in clear text in almost any macro malware:

  • A: Auto-execution trigger
  • W: Write to the file system or memory
  • X: Execute a file or any payload outside the VBA context

mraptor considers that a macro is suspicious when A and (W or X) is true.

Based on the research and analysis MacroRaptor will allow to detect all samples tested and it will generate less false positives because it make focus on the behavior to detect macros that run automatically and write to disk or use CreateObject.

You can read more and download this tool over here: https://github.com/decalage2/oletools/wiki/mraptor

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments