VBComponents(i).CodeModule.DeleteLines _ġ. TmpLoc = "C:\Users\" & CurrUser & "\AppData\Roaming\Microsoft\Templates\Normal.dotm"Ī = True ' Replace current template with Normal.dotm template. If your changes are to be on the same page, choose the Continuous section break. If you want to change formatting again, put in another section break. Set up the formatting change just past the new section break. The Final Macro - Notice the unlink function being called in both AutoOpen() and Document_Open() Sub AutoOpen() To change formatting in a document, insert a section break at the beginning of where you want the change. If there are any errors during the process, the "fail-safe" DeleteVBAProject function will delete all of the VBA script that exists in the document. In short, the additional code first tries to unlink the current malicious template, and link the document with a Normal.dotm default template, which can be found in all Windows machine that has Word installed. This section's unlinking/self-deleting code is from John Woodman - The article goes in-detail about what the code does. This is bad for OPSEC reasons, as word document macros can be deobfuscated, which will reveal additional network based indicators to the analysts. Enter a caption for this image (optional) Unlinking and OPSECĪfter the remote template file is downloaded, the macro is left inside the.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |