Decodes shellcode from Lazarus Macro Docs

decode.py

from oletools.olevba import VBA_Parser
import uuid
import re
import sys
import os

X64_CHUNKS_REG = re.compile(r'\#If\s+Win64(.*?)\#Else', re.S | re.I)
X86_CHUNKS_REG = re.compile(r'\#Else\s+?Dim(.*?)\#End', re.S | re.I)
UUID_REG = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', re.I)

def dump_shellcode(filename, buf, arch):
    out = b''
    if arch == 'x64':
        reg = X64_CHUNKS_REG
    else:
        reg = X86_CHUNKS_REG
    
    for chunk in re.findall(reg, buf):
        for u in re.findall(UUID_REG, chunk):
            out += uuid.UUID(u).bytes_le
    
    outfile = 'shellcode_{}_{}.bin'.format(filename, arch)
    with open(outfile, 'wb') as f:
        f.write(out)

    print("Wrote {} shellcode to: {}".format(arch, outfile))

if (len(sys.argv) != 2):
    print(' Usage: dump.py <file.doc>')
    sys.exit(1)

vbaparser = VBA_Parser(sys.argv[1])
basename = os.path.basename(sys.argv[1])

for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
    print(vba_code)
    dump_shellcode(basename, vba_code, 'x86')
    dump_shellcode(basename, vba_code, 'x64')