Skip to content

Making HTTP(S) Requests in VBA

Published by Jean Maes on 15 July 2020

Sometimes, maldocs don’t really need to do anything malicious.
You might just want to create awareness and just send a request to a webserver.
In this short blogpost, I’ll show some code to issue web requests in VBA, usable in your favorite office program.

ServerXMLHTTP vs WinHTTPRequest

My colleague Didier Stevens has briefly explained to me what the difference is between these two objects (both can be used to invoke webrequests):

ServerXMLHTTP is used when a proxy is set for IE
WinHTTPRequest is used when there is a proxy set via netsh

For completeness I should probably also mention VBAWEB but this is third party and I have not tested this setup, so this will be out of scope for this blogpost.

Solution: combine the two.

In case you are doing this black box, it’s less than ideal that you’ll have to gamble which proxy settings are being used. Luckily for us, VBA has error handling built in, so we can actually create a macro that combines the two, if the first request fails, try another request. You can also use this error handling to change your URL’s so you can actually try to send to multiple domains in case you fear your “control” domain will be flagged by the proxy.

The Code

Without further blah blah blah, here is the code I’m using to achieve this: 

Sub WebRequest()
Url = http://<yourdomain>/
On Error GoTo Request2
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
' very short timeouts, increase if you want. this is in miliseconds
objHTTP.setTimeouts 100, 100, 100, 100
'Get for example, can also be any other HTTP VERB, in case you POST, the Send method needs another argument (else you'll just post empty)

objHTTP.Open "GET", Url, False
objHTTP.Send
Set objHTTP = Nothing
Exit Sub
Request2:
'if you want you can create more error handlers, alternating url or serverxml/winhttp In case you want multiple errors you'll have to reset the error handle to -1
    On Error GoTo -1
' In case of multiple error handlers
    'On Error GoTo Request3
    'you can change your URL here if you want
    Set winHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
    winHttpReq.Open "GET", Url, False
    winHttpReq.Send        
End Sub

Published inTips & Tutorials

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *