SANS Tool Now Analyzes Compressed VBA Code in Microsoft Access Files for Malware Hunting
SANS handler Didier Stevens updated his search-for-compression.py tool to detect and extract ZLIB-compressed VBA code from Microsoft Access database files, aiding forensic analysis of the undocumented binary format.
SANS Internet Storm Center handler Didier Stevens has released an update to his search-for-compression.py tool, adding support for analyzing compressed VBA code inside Microsoft Access database files. Access files use a proprietary binary format that lacks official documentation, making them difficult to examine with standard tools like oledump.py, which are designed for OLE or OOXML formats. The new feature addresses a gap in forensic analysis and malware hunting, as Access files can contain malicious VBA macros that evade traditional detection.
The update introduces the `-t` option, which identifies ZLIB-compressed VBA streams within Access files. According to Stevens' diary entry, the tool can detect three types of compressed entries: two that decompress to binary data resembling dir streams in OLE files, which specify VBA project properties, project references, and module properties; and a third that starts with ASCII data ("Attribut") representing the actual VBA code. Users can dump these streams for further analysis.
Stevens demonstrated the tool with a simple empty database created for the diary entry, noting that real-world samples are more complex. He plans to cover additional examples in a future diary entry. The tool is available on his blog at DidierStevens.com under a Creative Commons license.
The development is significant for cybersecurity professionals who encounter Microsoft Access files in incident response or malware analysis. Access databases are sometimes used in targeted attacks to deliver VBA-based payloads, as the format is less scrutinized than Excel or Word documents. By enabling extraction of compressed VBA code, search-for-compression.py provides a new capability for uncovering hidden macros.
This update builds on the tool's existing functionality for searching binary files for ZLIB-compressed data. Stevens, a well-known contributor to the security community with tools like oledump.py and pdf-parser.py, continues to address gaps in forensic tooling. The release underscores the ongoing challenge of analyzing proprietary file formats that lack public documentation.
For analysts, the tool offers a practical way to inspect Access files without reverse-engineering the binary format from scratch. As VBA remains a common vector for malware delivery, tools that expand coverage to less common file types are valuable for comprehensive threat hunting. The SANS ISC diary entry provides the initial announcement, with more technical details expected in subsequent posts.