BadAssMacros: C# based automated Malicous Macro Generator

by do son · Published · Updated

Malicous Macro Generator

BadAssMacros

Proof of Concept tool to generate malicious macros leveraging techniques like VBA Purging and Shellcode Obfuscation to evade AV engines.

This tool takes in raw shellcode that can be generated by popular C2 frameworks like (Metasploit, Cobalt Strike, etc) and outputs a VBA macro.

The tool takes in the malicious doc/excel file ready and embedded with the generated VBA code and performs VBA purging.

Current Features

BadAssMacros features currently include:

  • Classic VBA shellcode injection.
  • Indirect VBA shellcode injection (using LoadLibrary).
  • Sandbox Detection.
  • VBA Purging.
  • Shellcode obfuscation.
  • Variable name Randomization.

Shellcode Injection Techniques

|   Name   | x32 |     x64     |

| -------- | --- | ----------- |

| Classic  | Yes | Yes         |

| Indirect | Yes | In Progress |

Detection

BadAssMacro was tested against local Antivirus solutions and online services like antiscan.me. The results of testing the same using the Indirect shellcode execution method is attached below.

 

NOTE: Please do not submit the samples to VirusTotal

Examples

  • Show Help

BadAssMacros.exe -h

  • Create VBA for classic shellcode injection from raw shellcode

BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s classic -c <caesar_shift_value> -o <path_to_output_file>

  • Create VBA for indirect shellcode injection from raw shellcode

BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s indirect -o <path_to_output_file>

  • List modules inside Doc/Excel file

BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -l

  • Purge Doc/Excel file

BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_output_file> -m <module_name>

Download

Tags: Malicous Macro Generator