Exploitation Tools

macro_pack – Automatize Obfuscation and Generation of MS Office Documents

The macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware solutions bypass and automatize the process from vba generation to final Office document generation.
It is very simple to use:

  • No configuration
  • Everything can be done using a single line of code
  • Generation of Word, Excel, and PowerPoint documents
  • Advanced VBA macro attacks as well as DDE attacks

The tool is compatible with payloads generated by popular pentest tools (Metasploit, Empire, …). It is also easy to combine with other tools as it is possible to read input from stdin and have a quiet output to another tool. This tool is written in Python3 and works on both Linux and Windows platform.

Note: Windows platform with the right MS Office applications installed is required for Office documents automatic generation or trojan features.

 

 

Obfuscation

The tool will use various obfuscation techniques, all automatic. Obfuscation feature is competible with all format that can be generated by macri_pack, VBA or VBS based.
Basic obfuscation (-o option) includes:

  • Renaming functions
  • Renaming variables
  • Removing spaces
  • Removing comments
  • Encoding Strings

Note that the main goal of macro_pack obfuscation is not to prevent reverse engineering, it is to prevent antivirus detection.

 

Generation

Macro Pack can generate several kinds of MS office documents and scripts formats. The format will be automatically guessed depending on the given file extension. File generation is done using the option –generate or -G. Macro Pack pro version also allow to trojan existing files with option –trojan or -T

Ms Office Supported formats are:

  • MS Word 97 (.doc)
  • MS Word (.docm, .docx)
  • MS Excel 97 (.xls)
  • MS Excel (.xlsm)
  • MS PowerPoint (.pptm)
  • MS Visio 97 (.vsd)
  • MS Visio (.vsdm)
  • MS Project (.mpp)

Scripting (txt) supported formats are:

  • VBA text file (.vba)
  • VBS text file (.vbs)
  • Windows Script Host (.wsh)
  • Windows Script Components scriptlets (.wsc, .sct)
  • HTML Applications (.hta)

Note that all scripting formats can be generated on Linux version of macro_pack as well.

 

Run/Install

Run Windows binary

  1. Get the latest binary from https://github.com/sevagas/macro_pack/releases/
  2. Download binary on PC with genuine Microsoft Office installed.
  3. Open console, CD to binary dir and call the binary, simple as that!
macro_pack.exe --help

 

Install from sources

Download and install dependencies:

git clone https://github.com/sevagas/macro_pack.git
cd macro_pack
pip3 install -r requirements.txt

Note: For windows, you also need to download manually pywin32 from https://sourceforge.net/projects/pywin32/files/pywin32/

The tool is in python 3 so just start with with your python3 install. ex:

python3 macro_pack.py  --help
# or
python macro_pack.py --help # if python3 is default install

If you want to produce a standalone exe using pyinstaller, double-click on the “build.bat” script on a Windows machine. The resulted macro_pack.exe will be inside the bin directory.

Download macro_pack

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: