A PowerShell script used to create Word Documents containing an Emotet-like VBA/PowerShell payload.
The script performs the following steps:
- Generates a PowerShell payload that calls out to a domain, saves the result to an .exe file and simulates execution of the downloaded file (
calc.exe
is run instead) - Encrypts the PowerShell payload using a randomly generated key
- Creates a new Word Document, saving the encrypted PowerShell payload in the Document's "Comments" built-in property
- Sets Custom Document Properties which, when re-assembled, contains the VBA
WScript.Run
command necessary to invoke PowerShell to decrypt and run the payload from steps 1 & 2 - Generates a number of obfuscated auxillary functions to pad out the VBA
When the generated Document is open, the VBA Sub AutoOpen
command is executed (provided macros are enabled, of course :)), which reassembles the command and decrypts and executes the PowerShell payload.
NOTE: the payload URL can be supplied or randomly generated. If the URL supplied/generated is valid, the response will be saved to a exe file in C:\Temp
, however this is overwritten with a copy of calc.exe
before being run.
To use, import the module in PS and call the Generate-Pseudotet function, passing in the required args:
PS> Import-Module .\pseudotet.psm1
PS> Generate-Pseudotet -PayloadDownloadURL "https://www.foobar.com/payload" -Debug $true