Skip to content
Adaptive Document Builder
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
adversary
internals
.gitignore changed payloads into a function called on each build Feb 17, 2019
LICENSE
README.md Update README.md May 6, 2019
adb.py
build.py
requirements.txt implemented VBA stomp functionality Mar 26, 2019
todo.txt working PoC adding macros and doc variable Feb 11, 2019

README.md

adb

Adaptive Document Builder

A framework for generating simulated malicious office documents.

Features

  • VBA is distinct for every document (level of distinction depends on the adversary document builder selected)
  • Random author based on easily updated/replaced name lists (sets local system registry keys before each document build)
  • Random file name based on the most commonly seen file names in malicious document campaigns
  • Multiple file formats (doc, docm, XML flat OPC)
  • Multiple file extensions (.doc, .docm, .rtf)
  • Supports multiple payloads
  • Functions for building and randomizing VBA are in a shared library for use across multiple adversary builders
  • Modular design and architecture for easy addition of more adversary builders
  • debug mode that outputs audit trail of document creation details including VBA contents

Runs on

Python 3 on Windows
COM is used to interface with an installed and configured Office product

Pre-requisites

Run this on a virtual machine!

  • Disable Windows Defender or add an exclusion for the adb files (before cloning) and your output directory or they might get cleaned
  • Registry entries will be changed when setting the author of documents, so don't run this with any production Office software

Usage

List available adversary emulation builders

>python adb.py -l
sample_with_network_test
underscore_crew_201806

Build documents

Build 5 documents with vba and payload style resembling underscore_crew_201806 (group that delivered agent tesla during this time period)

  • Extension: .doc
  • File Format: XML flat OPC
>python adb.py -a underscore_crew_201806 -c 5 -o C:\users\h\desktop\out -f flatxml -e doc
[*] Building document Sales_Invoice_6619.doc with author: Valentia A Petersen
[*] Building document Your_Invoices_5801.doc with author: Nydia Shields
[*] Building document Selected_Ticket_9047.doc with author: Felipa Henson
[*] Building document Past_Due_Receipt_4278.doc with author: Minh J Mosley
[*] Building document Final_Bill_7431.doc with author: Kaile Perkins

Modify documents

VBA stomp (overwrite the compressed VBA storage) a macro enabled document (specified by -v). For more information about VBA Stomping see vbastomp.com.

>python adb.py -a emotet_20190222 -o C:\users\h\desktop\out -v

VBA stomp a single document (regardless of how it was created)

>python internals\stomp_vba.py C:\users\h\desktop\out\Incorrect_Payment_7457.doc
[*] Stomped VBA - new file at: C:\users\h\desktop\out\Incorrect_Payment_7457.doc.stomped

Note: VBA stomping works for Word (.doc and .docm) and Excel (.xlsm) files. Currently, Excel .xls (Office 97-2003 format) is not supported.

Help Output

usage: program_name [-h] [-a ADVERSARY] [-f FILETYPE] [-e EXTENSION]
                    [-c COUNT] [-l] [-o OUTDIR] [-d]

program description

optional arguments:
  -h, --help            show this help message and exit
  -a ADVERSARY, --adversary ADVERSARY
                        -a --adversary {adversary name} (use -l to list)
  -f FILETYPE, --filetype FILETYPE
                        -f --filetype doc | docm | flatxml
  -e EXTENSION, --extension EXTENSION
                        -e --extension doc | docm | rtf
  -c COUNT, --count COUNT
                        -c --count {# of docs to create}
  -l, --listadversaries
                        -l --listadversaries : list available adversaries and
                        exits
  -o OUTDIR, --outdir OUTDIR
                        -o --outdir {path\to\outdir}
  -d, --debug           -d --debug : print debug statements and playbook for
                        each document
  -v VBASTOMP, --vbastomp VBASTOMP
                        -v --vba-stomp : VBA stomp each document as they are built
You can’t perform that action at this time.