Proof of Concept tool to generate malicious macros leveraging techniques like VBA Purging and Shellcode Obfuscation to evade AV engines.
This tool takes in raw shellcode that can be generated by popular C2 frameworks like (Metasploit,Cobalt Strike etc) and outputs a VBA macro.
The tool takes in the malicious doc/excel file ready and embedded with the generated VBA code and performs VBA purging.
BadAssMacros features currently include:
| Name | x32 | x64 | | -------- | --- | ----------- | | Classic | Yes | Yes | | Indirect | Yes | In Progress |
The BadAssMacros tool is meant to only be used for ethical purposes. Don't use it for bad things.
BadAssMacros require 3rd party libraries that can be installed from the NuGet package manager.
Install-Package Costura.Fody -Version 3.3.3
Install-Package OpenMcdf -Version 220.127.116.11
Install-Package Fody -Version 4.0.2
The BadAssMacros.exe will be inside the bin directory.
BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s classic -c <caesar_shift_value> -o <path_to_output_file>
BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s indirect -o <path_to_output_file>
BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -l
BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_output_file> -m <module_name>
BadAssMacro was tested against local Antivirus solutions and online services like antiscan.me. The results of testing the same using the Indirect shellcode execution method is attached below.
NOTE: Please do not submit the samples to VirusTotal