Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manage Office document with macro #335

Open
fraf0 opened this issue Sep 26, 2016 · 2 comments
Open

Manage Office document with macro #335

fraf0 opened this issue Sep 26, 2016 · 2 comments
Labels
enhancement Low

Comments

@fraf0
Copy link

fraf0 commented Sep 26, 2016

Hi,

I would like to be able to send Office document (word, excel) with macro in an simulated phishing campaign. To be able to follow the user action, the macro must include the user ID.

If I do it "by hand", I'll do like this :

  • Create a word document with the macro, including "_usrid" at the user id place.
  • Manipulate the document to replace _usrid by the true one
    • With 97-2003 file type : Just replace the string in binary mode
    • With 2007+ file type : Uncompress the file, modify the content and regenerate an office file
  • Attach the good file to each email (by user id)

In Phishing Frenzy framework, I see two ways :

  • Generate the document outside the framework and reference the attachemnt by the userid
    or
  • Be able to manipulate the office document directly into the framework, based on a template

Technical details :

VBA Macro :

Private Sub Document_Open()
    Dim HttpReq As Object
    Set HttpReq = CreateObject("MSXML2.XMLHTTP")
    HttpReq.Open "GET", "http://requestb.in/xvdaudxv?usrid=__usrid_", False
    HttpReq.send
    XmlHttpRequest = HttpReq.responseText
    MsgBox HttpReq.responseText + Str(HttpReq.Status)
End Sub
  • 97-2003 file type
for i in AFWTTLFQ JCJGQZVF
  do
    sed -e "s/__usrid_/${i}/" Coucou.doc > Coucou_${i}.doc
  done
  • 2007+ file type
for i in AFWTTLFQ JCJGQZVF
  do
    mkdir ${i}
    cd ${i}
    7z x ../Coucou.docm
    sed -i -e "s/__usrid_/${i}/" word/vbaProject.bin
    zip -r ../Coucou_${i}.docm *
    cd ..
    rm -rf ${i}
  done

The zip manipulation tranform the Office document into OOXML file according file :

file Coucou*
  Coucou_AFWTTLFQ.docm: Microsoft OOXML
  Coucou.docm:          Microsoft Word 2007+
  Coucou_JCJGQZVF.docm: Microsoft OOXML

But Word open if without any problem.

Regards,
fraf
@zeknox zeknox added the Low label Nov 23, 2016
@RatedRR
Copy link

RatedRR commented Apr 11, 2017
edited
Loading

Hi, @fraf0 is this just an idea or it works actually?

@fraf0
Copy link
Author

fraf0 commented Apr 21, 2017
edited
Loading

Hi,
It works but not integrated into Phishing Frenzy.
In addition with my first post, you must deal with unicode with for example:

usrid_uni=$(echo -n ${usrid} | sed -e 's/(.)/\x00\1/g')
sed -i -e "s/usrid_________________________________/${usrid}/g" "by_usrid/${usrid}/doc.doc"
sed -i -e "s/\x00_\x00u\x00s\x00r\x00i\x00d\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_/${usrid_uni}/g" "by_usrid/${usrid}/doc.doc"`

It should be even better to use iconv -t unicodebig instead of sed to generate the unicode format :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zeknox @fraf0 @RatedRR