title: VBA Stomping (T1564.007)
id: df00tech-t1564-007
status: experimental
description: "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code location with null bytes, benign code, or random data while leaving previously compiled malicious p-code intact in the PerformanceCache. When the Office application version encoded in the _VBA_PROJECT stream matches the host Office version, the malicious p-code executes directly — bypassing static scanners that examine only the decompressed source code stream and may report no macros present. Tools such as Evil Clippy automate this stomping process. Since the technique defeats source-code-level analysis, detection relies primarily on behavioral indicators: Office applications spawning unexpected child processes, making suspicious outbound network connections, and writing unusual files to disk — the same runtime behaviors as conventional macro malware, but invisible to many automated pre-execution scanning tools."
references:
  - https://attack.mitre.org/techniques/T1564/007/
  - https://df00tech.com/detections/T1564.007
author: df00tech
date: 2026/03/12
tags:
  - attack.t1564.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Finance and accounting teams using Excel macros that invoke cmd.exe or PowerShell for data export pipelines, FTP uploads, or ERP system automation"
  - "IT-managed Excel workbooks that launch PowerShell for SCCM inventory collection, compliance reporting, or system configuration checks"
  - "Developer workstations where Office VBA macros automate build, test, or deployment tasks by spawning scripts"
  - Helpdesk support tooling that uses Word or Excel macros to launch remote assistance utilities or system diagnostic scripts
level: high