error macro_pack exception caught

Question

error macro_pack exception caught

Opened this issue 4 years ago · 4 comments

hello again,

i'm testing macro_pack on my vm of w10 now

i installed python3 and Visual C++ Redistributable for Visual Studio 2015
and i deactivated smart screen

i'm trying to obfuscate a vba macro created by metasploit in this case

[+] Preparations...
[-] Input file path: test1.docx
[-] Target output format: Word
[-] Temporary working dir: C:\Users\noah\Desktop\temp
[-] Store input file...
[-] Temporary input file: C:\Users\noah\Desktop\temp\ihbtrifso.vba
[+] Prepare Word file generation...
[-] Check feasibility...
[+] Generating MS Word document...
[-] Set Software\Microsoft\Office\16.0\Word\Security to 1...
[-] Open document...
[-] Save document format...
[-] Inject VBA...
[!] Exception caught!
Traceback (most recent call last):
File "build_tmp\modules\word_gen.py", line 146, in generate
File "c:\users\papoul\appdata\local\programs\python\python38-32\lib\encodings\cp1252.py", line 23, in decode
UnicodeDecodeError: 'charmap' codec can't decode byte 0x8f in position 603: character maps to
[!] Hints: Check if MS office is really closed and Antivirus did not catch the files
[!] Attempt to force close MS Word...
Correcto: se terminó el proceso "WINWORD.EXE" con PID 3244.
[+] Cleaning...
Done!

what can i do ?

thanks

Answer 1 · 2020-09-23T06:48:25.000Z

Hi; I think its because you are passing a docx file as input file. The input file should be VBA as a text file.
Remember to share the command line you are typing when raising an issue, so its easier to assess.

Answer 2 · 2020-09-25T16:49:09.000Z

hello ,

this is the command that i used

macro_pack.exe -f test1.vba -o -G myDoc.doc

now it shows this:

[+] Preparations...
[-] Input file path: test1.vba
[-] Target output format: Word97
[-] Temporary working dir: C:\Users\noah\Desktop\temp
[-] Store input file...
[-] Temporary input file: C:\Users\noah\Desktop\temp\lkauzimsh.vba
[+] Prepare Word97 file generation...
[-] Check feasibility...
[+] VBA names obfuscation ...
[-] Rename functions...
[!] Exception caught!
Traceback (most recent call last):
File "build_tmp\macro_pack.py", line 246, in main
File "build_tmp\modules\payload_builder.py", line 66, in run
File "build_tmp\modules\vba_gen.py", line 33, in vbTransformAndObfuscate
File "build_tmp\modules\obfuscate_names.py", line 233, in run
File "build_tmp\modules\obfuscate_names.py", line 49, in _replaceFunctions
File "build_tmp\modules\obfuscate_names.py", line 22, in _findAllFunctions
File "c:\users\papoul\appdata\local\programs\python\python38-32\lib\encodings\cp1252.py", line 23, in decode
UnicodeDecodeError: 'charmap' codec can't decode byte 0x8f in position 603: character maps to
[+] Cleaning...
Done!

Answer 3 · 2020-09-26T16:02:58.000Z

ok now it works correctly

macro_pack.exe -f empire_test.hta -o -G test1.doc

empire_test.txt

i saved the empire_test.txt with the extension .hta

now i'm wondering if there's the possibility of hide the ps process when is executed the macro

i tried to put

`Set asd = CreateObject("WScript.Shell")
asd.Run(Fdxf) , 0 
    Set Wshell = nothing 
    End Function`

or...

should i add this command ?

Set asd = CreateObject("WScript.Shell") asd.Run(Fdxf) WShell.Run "powershell.exe", 0 Set Wshell = nothing

thanks

Answer 4 · 2020-09-26T16:07:26.000Z

Hi,
I suppose you can simply use
CreateObject("WScript.Shell").Run cmdLine, 0
I am closing this issue since it was not a bug but a command line error (you can just email me if you have question about vba)