I developed another variant of my “Excel macro injects embedded DLL” script.
In stead of creating and loading a temporary DLL from VBScript, I inject and execute shellcode directly from the VBA application.
Some HIPS would prevent my previous script from running, because it loaded an unapproved DLL. But my new version doesn’t load a DLL.
Of course, writing shellcode is more difficult than developing a PE executable.