Categories: Kali Linux

Vba2Graph – Generate Call Graphs From VBA Code For Easier Analysis Of Malicious Documents

Vba2Graph is a tool for security researchers, who waste their time analyzing malicious Office macros. Generates a VBA call graph, with potential malicious keywords highlighted.

Allows for quick analysis of malicous macros, and easy understanding of the execution flow.

Vba2Graph Features

  • Keyword highlighting
  • VBA Properties support
  • External function declarion support
  • Tricky macros with “_Change” execution triggers
  • Fancy color schemes!

Pros

  • Pretty fast
  • Works well on most malicious macros observed in the wild

Cons

  • Static (dynamicaly resolved calls would not be recognized)

Also ReadBabySploit – Beginner Pentesting Toolkit/Framework Written in Python

Installation

Install oletools:

https://github.com/decalage2/oletools/wiki/Install

Install Python Requirements

pip2 install -r requirements.txt

Install Graphviz

Windows

Install Graphviz msi:

https://graphviz.gitlab.io/_pages/Download/Download_windows.html

Add “dot.exe” to PATH env variable or just:

set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin

Mac

brew install graphviz

Ubuntu

sudo apt-get install graphviz

Arch

sudo pacman -S graphviz

Usage

usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        output folder (default: "output")
  -c {0,1,2,3}, --colors {0,1,2,3}
                        color scheme number [0, 1, 2, 3] (default: 0 - B&W)
  -i INPUT, --input INPUT
                        olevba generated file or .bas file
  -f FILE, --file FILE  Office file with macros

Usage Examples (All Platforms)

Only Python 2 is supported:

# Generate call graph directly from an Office file with macros [tnx @doomedraven]
python2 vba2graph.py -f malicious.doc -c 2    

# Generate vba code using olevba then pipe it to vba2graph
olevba malicious.doc | python2 vba2graph.py -c 1

# Generate call graph from VBA code
python2 vba2graph.py -i vba_code.bas -o output_folder

Output

You’ll get 4 folders in your output folder:

  • png: the actual graph image you are looking for
  • svg: same graph image, just in vector graphics
  • dot: the dot file which was used to create the graph image
  • bas: the VBA functions code that was recognized by the script (for debugging)

Examples

Example 1:

Trickbot downloader – utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.

Example 2:

Credit: @MalwareCantFly

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

R K

Share
Published by
R K
Tags: MaliciousVba2Graph
7 years ago

Recent Posts

How to Install Java on Ubuntu 24.04 Easily in 2026

Java remains one of the most widely used programming platforms for servers, enterprise applications, Android…

2 days ago

How to Install DEB Files on Ubuntu in 2026 (Step-by-Step Beginner Guide)

Ubuntu users often download software directly from developer websites instead of using the default app…

2 days ago

Things to Do After Installing Ubuntu 26.04 LTS for a Fast, Secure Setup

Installing Ubuntu 26.04 LTS is only the first step toward building a smooth, secure, and…

4 days ago

How to Prevent Software Supply Chain Attacks

What is a Software Supply Chain Attack? A software supply chain attack occurs when a…

1 month ago

How UDP Works and Why It Is So Fast

When people ask how UDP works, the simplest answer is this: UDP sends data quickly…

2 months ago

How EDR Killers Bypass Security Tools

Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity, designed to…

2 months ago