Add-ins
- vivami/OutlookParasite - Outlook persistence using VSTO add-ins- VTSO插件例子,包含一个powershell安装脚本,安装仅需要改注册表
- S4R1N/BadOutlook - Malicious Outlook Reader
- f-secure: Add-In Opportunities for Office Persistence - Word/Excel可以加载特定目录的DLL插件,Excel/PPT可以加载特定目录的VBA模块,其他类型的插件有COM/VBE组件
Detection evasion
- DoctorLai/VBScript_Obfuscator - The VBScript Obfuscator written in VBScript
- mwrlabs/wePWNise - generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software
- itm4n/VBA-RunPE - A VBA implementation of the RunPE technique or how to bypass application whitelisting
- nccgroup/demiguise - HTA encryption tool
Macro tools
- med0x2e/vba2clr - Running .NET from VBA
- optiv/Ivy - Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode
- optiv/Dent - A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors
- gist: Philts/Invoke-ExShellcode.ps1 - Lateral movement and shellcode injection via Excel 4.0 macros - RtlCopyMemory + QueueUserAPC + NtTestAlert方式执行shellcode
- whitel1st/docem - Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
- 0xdeadbeefJERKY/Office-DDE-Payloads - Collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution techniqu
- michaelweber/Macrome - Excel Macro Document Reader/Writer for Red Teamers & Analysts
- Shellntel/luckystrike - A PowerShell based utility for the creation of malicious Office macro documents
- cldrn/macphish - Office for Mac Macro Payload Generator
- sevagas/macro_pack - a tool used to automatize obfuscation and generation of MS Office documents
- Mr-Un1k0d3r/MaliciousMacroGenerator - Malicious Macro Generator (支持VM检测)
- Pepitoh/VBad - VBA Obfuscation Tools combined with an MS office document generator
- enigma0x3/Generate-Macro - This Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method
- outflanknl/EvilClippy - A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows
- FortyNorthSecurity/EXCELntDonut - Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory
- JanKallman/EPPlus - Create advanced Excel spreadsheets using .NET - 这个工具独立于微软的库,可以避免 PerformanceCache 和 CompressedSourceCode,没有这两个可以免杀
- christophetd/spoofing-office-macro - VBA macro spawning a process with a spoofed parent and command line
- khr0x40sh/MacroShop - Collection of scripts to aid in delivering payloads via Office Macros
- 1d8/macros - Social Engineering Using "Hidden" Macros In Excel
- FortyNorthSecurity/hot-manchego - Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library
- VBA
- fireeye/OfficePurge - removes P-code from module streams within Office documents - 有博客说明,删除PerformanceCache后只有CompressedSourceCode字段,导致yara规则无法匹配关键词,从而绕过检测
- MalwareCantFly/Vba2Graph - Generate call graphs from VBA code, for easier analysis of malicious documents
- glinares/VBA-Stendhal - Inject Encrypted Commands Into EMF Shapes for C2 In VBA / Office Malware
- mgeeky/RobustPentestMacro - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques
- rmdavy/HeapsOfFun - AMSI Bypass Via the Heap
- bonnetn/vba-obfuscator - 2018 School project - PoC of malware code obfuscation in Word macros
Payload analysis
- bontchev/pcodedmp - A VBA p-code disassembler
- decalage2/ViperMonkey - A VBA parser and emulation engine to analyze malicious macros
- tehsyntx/loffice - Lazy Office Analyzer
- eset/vba-dynamic-hook - VBA Dynamic Hook dynamically analyzes VBA macros inside Office documents by hooking function calls
- DissectMalware/XLMMacroDeobfuscator - Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
- decalage2/oletools - python tools to analyze MS OLE2 files
- egaus/MaliciousMacroBot - malicious office documents triage tool
- edeca/rtfraptor - Extract OLEv1 objects from RTF files by instrumenting Word
- bsi-group/officefileinfo - a python script to help analyse the newer Microsoft Office file formats
- tylabs/quicksand - QuickSand document and PDF malware analysis tool written in Python
Sandbox detection / escape
- joesecurity/pafishmacro - Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes. It uses evasion & detection techniques implemented by malicious documents
- Documents of Doom infecting macOS via office macros - 虽然Mac版本office有沙箱,但只要包含 ~$ 字样都允许写入,所以可以用 ~$com.xpnsec.plist 这样的文件名来绕过限制
- certego: Advanced VBA macros: bypassing olevba static analyses with 0 hits - 2020.7的,用冷门API和事件绕过检测
- gist: X-C3LL/hookdetector.vba - VBA Macro to detect EDR Hooks (It's just a PoC)
Office 365 / O365
- T0pCyber/hawk - Powershell Based tool for gathering information related to O365 intrusions and potential Breaches - 微软员工出的
- mrrothe/py365 - A tool for finding risky or suspicious inbox rules
- mdsecactivebreach/o365-attack-toolkit - A toolkit to attack Office365
- LMGsec/o365creeper - Python script that performs email address validation against Office 365 without submitting login attempts
- busterb/msmailprobe - Office 365 and Exchange Enumeration
- nyxgeek/o365recon - retrieve information via O365 with a valid cred
- LMGsec/O365-Lockdown - Secure and log available activities in your Microsoft Office 365 environment
- vysec/checkO365 - a tool to check if a target domain is using O365
- LMGsec/Magic-Unicorn-Tool - This is the beta release of our Office 365 Activities API report parsing tool
- grimhacker/office365userenum - Enumerate valid usernames from Office 365 using ActiveSync
Lync
- mdsecresearch/LyncSniper - A tool for penetration testing Skype for Business and Lync deployments
- nyxgeek/lyncsmash - locate and attack Lync/Skype for Business
Uncategorized
- r00t-3xp10it/backdoorppt - transform your payload.exe into one fake word doc (.ppt)
- sensepost/SPartan - Frontpage and Sharepoint fingerprinting and attack tool
- byt3bl33d3r/SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
- rtfdump
- colemination/PowerOutlook - Sample code from Owning MS Outlook with Powershell
- nolze/msoffcrypto-tool - A Python tool and library for decrypting MS Office files - Excel 通用默认密码 VelvetSweatshop
- 测试样本hash: a42bb4900131144aaee16d1235a22ab6d5af43407a383c3d17568dc7cfe10e64 (CDFV2 Encrypted)