Malicious VBA Macro’s: Trials and Tribulations

Introduction

Over this past winter break, I wanted to go back to learning more about malicious Word/Excel Macros and what the potential is there. I made a blog post over a year ago where I talked about a technique I haven’t seen used very often involving linking a remote VBA template to a word doc, which was then downloaded and ran only when the document is open. In that same blog post, I also added a self-deletion technique, making it harder for the blue team to run forensics on the malicious doc. In this post, I’ll be talking about other techniques I’ve learned, including calling Windows API functions, and I’ll be discussing my (somewhat) failed attempt to write VBA that dumps the LSASS process, but also my successful attempt at writing a reverse shell completely in VBA (no shellcode injection or dropping exe’s).

https://john-woodman.com/research/malicious-vba-macros-trials-tribulations/

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。