Skip to content
Adaptive Document Builder
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore changed payloads into a function called on each build Feb 17, 2019
LICENSE Update May 6, 2019
requirements.txt implemented VBA stomp functionality Mar 26, 2019
todo.txt working PoC adding macros and doc variable Feb 11, 2019


Adaptive Document Builder

A framework for generating simulated malicious office documents.


  • VBA is distinct for every document (level of distinction depends on the adversary document builder selected)
  • Random author based on easily updated/replaced name lists (sets local system registry keys before each document build)
  • Random file name based on the most commonly seen file names in malicious document campaigns
  • Multiple file formats (doc, docm, XML flat OPC)
  • Multiple file extensions (.doc, .docm, .rtf)
  • Supports multiple payloads
  • Functions for building and randomizing VBA are in a shared library for use across multiple adversary builders
  • Modular design and architecture for easy addition of more adversary builders
  • debug mode that outputs audit trail of document creation details including VBA contents

Runs on

Python 3 on Windows
COM is used to interface with an installed and configured Office product


Run this on a virtual machine!

  • Disable Windows Defender or add an exclusion for the adb files (before cloning) and your output directory or they might get cleaned
  • Registry entries will be changed when setting the author of documents, so don't run this with any production Office software


List available adversary emulation builders

>python -l

Build documents

Build 5 documents with vba and payload style resembling underscore_crew_201806 (group that delivered agent tesla during this time period)

  • Extension: .doc
  • File Format: XML flat OPC
>python -a underscore_crew_201806 -c 5 -o C:\users\h\desktop\out -f flatxml -e doc
[*] Building document Sales_Invoice_6619.doc with author: Valentia A Petersen
[*] Building document Your_Invoices_5801.doc with author: Nydia Shields
[*] Building document Selected_Ticket_9047.doc with author: Felipa Henson
[*] Building document Past_Due_Receipt_4278.doc with author: Minh J Mosley
[*] Building document Final_Bill_7431.doc with author: Kaile Perkins

Modify documents

VBA stomp (overwrite the compressed VBA storage) a macro enabled document (specified by -v). For more information about VBA Stomping see

>python -a emotet_20190222 -o C:\users\h\desktop\out -v

VBA stomp a single document (regardless of how it was created)

>python internals\ C:\users\h\desktop\out\Incorrect_Payment_7457.doc
[*] Stomped VBA - new file at: C:\users\h\desktop\out\Incorrect_Payment_7457.doc.stomped

Note: VBA stomping works for Word (.doc and .docm) and Excel (.xlsm) files. Currently, Excel .xls (Office 97-2003 format) is not supported.

Help Output

usage: program_name [-h] [-a ADVERSARY] [-f FILETYPE] [-e EXTENSION]
                    [-c COUNT] [-l] [-o OUTDIR] [-d]

program description

optional arguments:
  -h, --help            show this help message and exit
  -a ADVERSARY, --adversary ADVERSARY
                        -a --adversary {adversary name} (use -l to list)
  -f FILETYPE, --filetype FILETYPE
                        -f --filetype doc | docm | flatxml
  -e EXTENSION, --extension EXTENSION
                        -e --extension doc | docm | rtf
  -c COUNT, --count COUNT
                        -c --count {# of docs to create}
  -l, --listadversaries
                        -l --listadversaries : list available adversaries and
  -o OUTDIR, --outdir OUTDIR
                        -o --outdir {path\to\outdir}
  -d, --debug           -d --debug : print debug statements and playbook for
                        each document
  -v VBASTOMP, --vbastomp VBASTOMP
                        -v --vba-stomp : VBA stomp each document as they are built
You can’t perform that action at this time.