Macro Pack: automatize obfuscation & generation of MS Office documents
The macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware solutions bypass and automatize the process from vba generation to final Office document generation.
It is very simple to use:
- No configuration
- Everything can be done using a single line of code
- Generation of Word, Excel, and PowerPoint documents
- Advanced VBA macro attacks as well as DDE attacks
The tool is compatible with payloads generated by popular pentest tools (Metasploit, Empire, …). It is also easy to combine with other tools as it is possible to read input from stdin and have a quiet output to another tool. This tool is written in Python3 and works on both Linux and Windows platform.
Note: Windows platform with genuine MS Office installed is required for Office documents automatic generation or trojan features.
The tool will use various obfuscation techniques, all automatic. Basic obfuscation (-o option) includes:
- Renaming functions
- Renaming variables
- Removing spaces
- Removing comments
- Encoding Strings
Note that the main goal of macro_pack obfuscation is not to prevent reverse engineering, it is to prevent antivirus detection.
Macro Pack can generate several kinds of MS office documents and txt formats. The format will be automatically guessed depending on the given file extension. File generation is done using the option –generate or -G.
Supported formats are:
- MS Word 97 (.doc)
- MS Word (.docm, .docx)
- MS Excel 97 (.xls)
- MS Excel (.xlsm)
- MS PowerPoint (.pptm)
- VBA text file (.vba)
The macro pack tool shall only be used by pentester, security researchers, or other people with learning purpose. I condemn all use of security tools for unethical actions (whether these are legal or illegal). I know this will not prevent usage by malicious people and that is why all features are not publicly released.
About pro mode…
You may notice that not all part of macro_pack is available. Only the community version is available online. I fear the features in the pro version are really too much “weaponizing” the process and I do not want it available to all script kiddies out there. The pro mode includes features such as:
- Advance antimalware bypass
- VBOM security bypass
- Self-decoding VBA
- MS Office persistence
- Trojan existing MS Office documents
- Anti-debug using http://seclists.org/fulldisclosure/2017/Mar/90
- Add .inf support
- Add other MS shortcut support
- Add Word, Excel, PPT template support
- Add webdav server
- Bug corrections
Run Windows binary
- Get the latest binary from https://github.com/sevagas/macro_pack/releases/
- Download binary on PC with genuine Microsoft Office installed.
- Open a console, CD to binary dir and call the binary, simple as that!
Install from sources
Download and install dependencies:
git clone https://github.com/sevagas/macro_pack.git
pip3 install -r requirements.txt
Note: For windows, you also need to download manually pywin32 from https://sourceforge.net/projects/pywin32/files/pywin32/
The tool is in python 3 so just start with your python3 install. ex:
python3 macro_pack.py –help
python macro_pack.py –help # if python3 is default install
If you want to produce a standalone exe using pyinstaller, double-click on the “build.bat” script on a Windows machine. The resulted macro_pack.exe will be inside the bin directory.
Copyright 2017,2018 Emeric “Sio” Nasi (blog.sevagas.com)