VBad: VBA Obfuscation Tools combined with an MS office document generator

by do son · Published · Updated

VBad is fully customizable VBA Obfuscation Tool combined with an MS Office document generator. It aims to help Red & Blue team for attack or defense.

DISCLAIMER: This is only for testing purposes and can only be used where strict consent has been given. Do not use this for illegal purposes, period.

Features

VBad is a tool that allows you to obfuscate (and encrypted) in many diffrent ways pieces of VBA code and integrated directly into a list of generated MS Office document. You would be able to :

  • Encrypt all strings present in your VBA code;
  • Encrypt data from your python Script in VBA code (domain names or paths for example);
  • Randomize each functions’ (or variables) names that you want;
  • Delete all tabulation/spaces/cariage return
  • Chose Encryption method, how and where encryption keys are stored;
  • Add customizable fake keys (to avoid some easy detection stuff)
  • Generate as many unique MS Office document (with different randomize in the VBA) as you want using a filename list and a document Template;
  • Enable autodestruction of encryption Keys feature once the VBA has been trigger once;
  • 20/10/16 : fake keys implementation on #VBad to avoid some easy detection stuff
  • 07/04/17 : implementing option that allows exploiting this vulnerability: http://seclists.org/fulldisclosure/2017/Mar/90. VBad is now able to destroy references to the module containing effecitve payload in order to make it invisible from VBA Developper Tool making analyses and debugging much more harder :-).

#How it works For the moment, only one type of encryption is supported.

All strings and indicated variables are encrypted (xored in fact) using a random key (different for each files). This key is stored into Document.Variables by the python program and then initialization (not the variable itself) is deleted from the VBA code.

It makes decryption of the code harder because analysts has to get back this Document.Variable key using specific methods (no classic tools will work with this).

For more fun, this keys are deleted once the macro is triggered one time (as long as the file is open from a writable place).

New storage methods and real encryption algorithms are to come. But, remember it’s VBA, we do not have so many choices. :-).

#Prerequisites

  • Office (Excel/Word) for generated final doc (tested with Office 2010 and 2013) with Macro fully activated and checkbox “Trust Access to the VBA project object model” checked (in macro security settings, it allows python code to change and create macro)
  • Python 2.7
  • win32com

Download & Tutorial

Tags: VBad