Home » Articles » Dangers of .doc – MS Word Documents
Click Here To Hide Tor

Dangers of .doc – MS Word Documents

Microsoft Office Word documents have “macro” functionality which is implemented in Visual Basic for Applications (VBA) programming language. VBA is nearly the same as Visual Basic, main difference is that VB compiles to an executable and VBA needs a document as a carrier.

In my previous article, I analyzed .svg images for spreading malware. SVG images used embedded JavaScript which runs in a browser which poses some restrictions. VBA on the other hand runs as an executable, thus has more permissions.

Some social engineering is needed for victim to click ‘Enable Content’, but I don’t think that’s difficult. That button loads and starts the scripts. Clicking ‘enable content’ is enough for malware to get installed. Very often social engineering trick is to use Microsoft’s generic option: Enable macros to view content.

Visual Basic is powerful programming language, I’ve seen Remote Administrator Tools written in Visual Basic. However, adding such malware to a document would greatly increase its size. Also, detaching from a document carrier is preferable because of some restrictions. Therefore, downloaders are more suitable to hackers. Additionally, changing the payload is also possible because it’s done on the server side.

Simple pranks for demonstration

This is how you view and record macros: open a document -> View -> Macros.

If we choose to record Macro, we have the option to assign macro to Button or Keyboard.

But we’re going to choose AutoOpen() option so we don’t need that – our script can execute as soon as macro is enabled. For example, this script opens a calculator upon opening the document. It will ask for permission (Enable Content) only first time it executes:

We can add an infinite loop to make the script constantly keep opening new calculators to clog o:

It will stop when the document is closed, but we can detach from the document. This script creates and starts a forkbomb.bat – Windows bash script that executes some terminal commands. Forkbomb.bat starts 2 copies of itself. Both of those do the same thing, resulting in exponential growth which completely depletes computer resources:

Causing unusable computer, force restart is necessary to kill it. Something like this is expected:

You can extend the script to make it run when pc is started to clog his/her pc once again. Safe boot would be the solution then.

VBA download and execute file upon opening

Thanks to malmoe for his share – A short VBA macro to download and execute a file.

Simple script downloads and executes, just by enabling content on a document.

Malmoe used Shell(file.exe”) which causes a permission error on my Windows 10 MS Word 2010. However if I use this workaround from my fork bomb

…downloaded program executes normally.

Conclusion

Word macros are a bit restricted Visual Basic executables. With some sneakiness, it can be used to compromise a system by downloading and executing a ‘real’ .exe – macros are as dangerous as executables!

One comment

  1. Bitcoin Hack Sofware

    Get 0.5btc daily using this software , This is not a joke or scam because we created it and we are personally using it .

    Watch the video : {RIP link to the dumbest scam ever}

    More infos on Video description

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *