VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. Documents that only contain source code and no compiled code are more likely to evade AV detection and YARA rules. Read more here.
OfficePurge supports VBA purging Microsoft Office Word (.doc), Excel (.xls), and Publisher (.pub) documents. Original and purged documents for each supported file type with a macro that will spawn calc.exe can be found in
Author: Andrew Oliveau (@AndrewOliveau)
Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a couple of .NET libraries that can be installed from the NuGet package manager.
The below 3rd party libraries are used in this project.
| Library | URL | License | | ------------- | ------------- | ------------- | | OpenMCDF | https://github.com/ironfede/openmcdf | MPL-2.0 License | | Fody | https://github.com/Fody/Fody | MIT License | | Kavod.Vba.Compression | https://github.com/rossknudsen/Kavod.Vba.Compression | MIT License |
Install-Package Costura.Fody -Version 3.3.3
Install-Package OpenMcdf -Version 220.127.116.11
Install-Package Fody -Version 4.0.2
OfficePurge.exe -d word -f .\malicious.doc -m NewMacros
OfficePurge.exe -d excel -f .\payroll.xls -m Module1
OfficePurge.exe -d publisher -f .\donuts.pub -m ThisDocument
OfficePurge.exe -d word -f .\malicious.doc -l