Creating Malicious Macros

notes
Written By Alyssa Snow

Macros are functions that can be embedded in Microsoft documents. Often, macros are used to link documents, or programmatically accomplish a task within the document. Macros are written in Visual Basic and can be used to access ActiveXObjects and Wscript.




Macros can be super handy for complex documents and attackers. In this blog post, we will create our own macro that allows us to run commands on our target machine.



First, let’s create our first Macro. We will start by opening Microsoft Word. Select “view” -> “macros” and click “create”.



create-mac.png




We will name our macro “HelloMacro”.





Sub HelloMacro( )

‘ HelloMacro

End Sub

We can use the CreateObject function and the Wscript.Shell Run method to Invoke the calc executable. We want our macro to run automagically as soon as the user opens our document. To accomplish this we will use the AutoOpen function. We can also make sure our macro runs every time the document is reopened by leveraging the Document_Open function.

So now our macro looks like this:


macro.png


If we use the default document format, (.docx) our macro will not run. We must save our document as a .docm or an older document type, such as Word 97-2003 Document (*.doc).




Before we save our document we want to be sure to remove any metadata that may tell the victim anything about the macro author (us). To do this we need to inspect our document.




get-to-inspect.png


On the left of “Inspect Document”, click on “Check for Issues”, then select “Inspect Document” in the dropdown menu.

check-issues.png


Make sure the proper boxes are selected and hit inspect.

inspect-all.png


Once the inspection results come back, we can remove any metadata that contains personal information.


remove-all.png

Notice the properties on the right were removed.


note-removed-info.png



Now we can save our document. I will save this document as HellMacro.docm. Let's open this document and see what happens.



save-macro.png


In order for our macro to run, we will likely need to click "Enable Content". Now, boom, we see our macro ran and opened a calculator prompt on the victim machine.

exec-calc.png


Summary


Today, we learned how to create a Microsoft macro that can be used to run arbitrary commands. Macros are commonly leveraged by adversaries and red teams in phishing campaigns. Malicious macros embedded in documents can be dangerous because they can be leveraged to install malware on your machine and grant attackers initial access to your network. Think twice before downloading attachments you were not expecting.

Alyssa Snow
Previous

HTA Attacks
Next

How To Get Started With Mythic C2 Framework