Home

Awesome

OfficePurge

VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. Documents that only contain source code and no compiled code are more likely to evade AV detection and YARA rules. Read more <a href="https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html">here</a>.

OfficePurge supports VBA purging Microsoft Office Word (.doc), Excel (.xls), and Publisher (.pub) documents. Original and purged documents for each supported file type with a macro that will spawn calc.exe can be found in sample-data folder.

Author: Andrew Oliveau (@AndrewOliveau)

INSTALLATION/BUILDING

Pre-Compiled

Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a couple of .NET libraries that can be installed from the NuGet package manager.

Libraries Used

The below 3rd party libraries are used in this project.

LibraryURLLicense
OpenMCDFhttps://github.com/ironfede/openmcdfMPL-2.0 License
Fodyhttps://github.com/Fody/FodyMIT License
Kavod.Vba.Compressionhttps://github.com/rossknudsen/Kavod.Vba.CompressionMIT License

Steps to Build

ARGUMENTS/OPTIONS

EXAMPLES

REFERENCES