A new youth for macro viruses?
Recently, with a colleague were discussing how Office macros are becoming a vehicle widely used by malware distributors.
On this Github repository i have found Macroshop, a collection of python script to aid the embedding process of malware payloads into Office macros:
Generates safe for VB inclusion into an excel spreadsheet. Requires a batch file generated by Veil-Evasion powershell payloads. To include, enable the developer menu in Office, head to Visual Basic tab, double click on This_Workbook and paste the contents of the output file. Syntax is: python macro_safe.py test.bat test.txt
Generates VB code for including and unpacking a portable executable onto a file system for delivery via Office Macro. To include, enable the developer menu in Office, head to Visual Basic tab, double click on This_Workbook and paste the contents of the output file. Requires a PE. Syntax is: python exeinvba.py — exe test.exe — out test.vb — dest “C:UsersPublicDocumentstest.exe” Ensure any backslashes are escaped in the dest variable
Same as macro_safe.py, just uses powershell vice VB for architecture detection to call the correct version of powershell.
Watered down version of exeinvba.py that will output both the raw base64 string of the executable and the variable specific section of the VB. May be useful for use with different VB templates or other methods that may require an executable passed as a base64 string somewhere. Automatically stores output into base64_output.txt (raw) and base64_output.vb. Syntax is: python b64_enc.py test.exe