![]() ![]() TmpLoc = "C:\Users\" & CurrUser & "\AppData\Roaming\Microsoft\Templates\Normal.dotm"Ī = True ' Replace current template with Normal.dotm template. ![]() The Final Macro - Notice the unlink function being called in both AutoOpen() and Document_Open() Sub AutoOpen() If there are any errors during the process, the "fail-safe" DeleteVBAProject function will delete all of the VBA script that exists in the document. In short, the additional code first tries to unlink the current malicious template, and link the document with a Normal.dotm default template, which can be found in all Windows machine that has Word installed. This section's unlinking/self-deleting code is from John Woodman - The article goes in-detail about what the code does. This is bad for OPSEC reasons, as word document macros can be deobfuscated, which will reveal additional network based indicators to the analysts. Enter a caption for this image (optional) Unlinking and OPSECĪfter the remote template file is downloaded, the macro is left inside the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |