Microsoft Office documents can contain macros which are script snippets that normally enhance document functions, but can be used maliciously, such as launching reverse shells. Microsoft has lately relaxed the restriction on untrusted macros. See VBA for macro syntax.
Auto-run Macros
Macros will not be executed automatically, but they can be made to run automatically through AutoOpen
and Document_Open
.
Reverse Shells
See: reverse shell
Generate via msfvenom
See: msfvenom
Generate from existing PowerShell payload
VBA has a 50-character limit for string literals. So use a Python script to split an existing PowerShell payload.
The above script produces the following VBA script:
Delivering the Macro
A macro must be saved in either a .doc
file (old Word document format) or a .docm
file (macro-enabled document format) as .docx
cannot save macros to disk. It can also be saved to a .dotm
(Word template file), and the macro will be available to any documents linked to that template as long as the .dotm
file is reachable at the embedded URL.
Here are some email templates for sending within OWA.
OPSEC warning!
Make sure to remove all PII metadata from the document before delivery. To do so, go to
File > Info > Check for Issues > Inspect Document
{.verbatim}. After clickingInspect
{.verbatim}, clickRemove All
{.verbatim} next to “Document Properties and Personal Information.”
Serve file with OneDrive
Recommendation: Use services such as OneDrive to deliver the document for more authenticity.