Extract Macro Save

This PS script will extract macro from Excel and Word files. Also checks the macro for suspecious code patterns Includes temporary DDE check for word documents

Project README

Extract-Macro

This PS script will extract macro from Excel and Word files. Also checks the macro for suspecious code patterns
Includes temporary DDE check for word documents.

Version
0.4

Dependencies
MS Office 2013 or greater

Tested on
MS Office 2013
MS Office 2016

Supported file types
xls,xlsm,doc,docm,docx (haven't checked for others, may work)

Usage
PS C:> ./Extract-macro.ps1 C:\Sheet1.xls

TODO

Add support for doc files
Adding more malicious/suspecious macro checks
Improve Error Handling
Decoding and checking base64 encoded
Checking base64 encoded strings for patterns
Improving DDE check feature for word

Sample Run 1

PS C:\> ./Extract-macro.ps1 C:\Sheet1.xls -fp 0
    ======== Macro Code Start ============
    Sub Auto_open()
        Dim encode As String
        Dim pathName As String
        Dim o As Document
        Set o = ActiveDocument

        Dim strResult As String
        Dim test As String
        Dim objHTTP As Object
        Dim URL As String
        Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
        test = "aHR0cDovLzEyNy4wLjAuMS90ZXN0LnR4dA=="
        URL = "http://127.0.0.1:8000/test.txt"
        objHTTP.Open "GET", URL, False
        objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
        objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
        objHTTP.send ("keyword=php")
        strResult = objHTTP.responseText
        MsgBox (strResult)
    End Sub





    ======== Macro Code End ============
    ========  base64 data found ============

    EncodedText                          DecodedText              
    -----------                          -----------              
    aHR0cDovLzEyNy4wLjAuMS90ZXN0LnR4dA== http://127.0.0.1/test.txt


    ======== Suspecious Macro Code Patterns ============

    Checks_for                                    Count
    ----------                                    -----
    Base64 encoded strings [Confirmed]            1    
    Use of Char encoding                          0    
    string concatination for AV evasion           0    
    Auto run macro Auto_Open                      1    
    IP Address - Possible Data transfer           1    
    HTTP Request modules used                     2    
    base64 encoded strings [false positive prone] 50   
    scheduled tasks invocation. Possible backdoor 0    
    URL detected - Probable data transfer         0    
    Use of shell function                         0    
    Auto run macro Document_Open                  0    
    HTTP Request modules used                     2

Sample Run 2

PS C:\> ./Extract-macro.ps1 C:\dde.docx        
======== DDE Code Start ============
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" !Unexpected End of Formula
======== DDE Code End ============

References
https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1

Open Source Agenda is not affiliated with "Extract Macro" Project. README Source: 0xm4v3rick/Extract-Macro

Stars

Open Issues

Last Commit

6 years ago

Repository

0xm4v3rick/Extract-Macro

License

MIT

Open Source Agenda Badge

<a href="https://www.opensourceagenda.com/projects/extract-macro"><img src="https://www.opensourceagenda.com/projects/extract-macro/reviews/badge.svg" alt="Open Source Agenda"></a>

Submit Review Review Your Favorite Project

Submit Resource Articles, Courses, Videos

Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022