Malicious Macro Generator
Switch branches/tags
Nothing to show
Clone or download
Latest commit ea2d08f Jun 25, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
configs Create wmi-msbuild-evasion-domain.json Jun 21, 2018
examples Create generic-cmd-evasion.vba Nov 11, 2016
lib HelpMenu fix Jun 25, 2018
templates add string to hex evasion Jun 25, 2018 Update Oct 13, 2017 add split string and string to hex functions Jun 25, 2018 Update Jun 25, 2018 Update Dec 14, 2016

Malicious Macro Generator Utility

Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape mechanism.


Python 2.7


MMG.Malicious Macro Generator v2.0 - RingZer0 Team
Author: Mr.Un1k0d3r

Usage: [config] [output] (optional parameters)

        [config]                                Config file that contain generator information
        [output]                                Output filename for the macro

        -l      --list                          List of all available payloads and evasion techniques
        -s      --split_strings                 Randomly split strings at parts
        -x      --strings_to_hex                Encode strings to hex

python configs/generic-cmd.json malicious.vba

Config file

Example of a project config file.

	"description": "Generic command exec payload\nEvasion technique set to domain check",
	"template": "templates/payloads/generic-cmd-evasion-template.vba",
	"varcount": 150,
	"encodingoffset": 4,
	"chunksize": 200,
	"encodedvars": 	{
	"vars": 	[],
	"evasion": 	["encoder", "domain"],
	"payload": "cmd.exe /c whoami"

Evasion techniques

Domain check

The macro is fetching the USERDOMAIN environment variable and compare the value with a predefined one. If they match the final payload is executed.

Disk check

The macro is looking for the total disk space. VMs and test machines use small disk most of the time.

Memory check

The macro is looking for the total memory size. Vms and test machines use less resources.

Uptime check

The macro is looking for the system uptime. Sandboxes will return a short uptime.

Process check

The macro is checking if a specific process is running (example outlook.exe)


The python script will also generate obfuscated code to avoid heuristic detection

More to come


Mr.Un1k0d3r RingZer0 Team