principle

The remote malicious template with macros will be loaded directly for use .

• shortcoming
  The network speed of the target host determines the speed of loading the remote template . It is possible that the file will be opened very slowly ( For example, put the remote template in github), The victim may force the file to close halfway through the opening word.
• advantage
  Because it is loaded remotely , So the killing free effect is very good . Basically will not be blocked by anti-virus software .

Realization

First step ： Make a malicious template and ensure that it can go online

Here we use cs The macro Trojan horse For example .

Get malicious VB Open after code word, Right click in an empty area of the toolbar , Click Customize Ribbon

Check the development tool option .

At this point, the development tools column will appear

Click here Visual basic, Copy malicious code to project The designated location of is shown in the figure below

Then close the code box , Put this word Save the file as a dotm Template file

At this time, you can test whether the template can be launched , Right click the template file , Double clicking cannot open the template file , Double click on the template file to create a new file with this template by default , Bear in mind .

Click enable content to go online .


Testing is completed .

The second step ： Making malicious macro templates for remote loading docx file

1. Upload malicious files to the server

First, upload the template file containing malicious code that has just been made to the server , Here the github To do this experiment , Click the malicious file uploaded in the figure below .

You will enter the following page

Copy this page's url

And in url Followed by ?raw=true, The final results are as follows , Save this line and you'll use it later .
https://github.com/shanfenglan/test/blob/master/Doc1.dotm?raw=true

2. Load malicious files on the server

open word Double click any template to use , Then save everything in any path without changing .


Rename the file , Change it to zip ending .

Unzip it

Get into word In folder _rels, find settings.xml.rels file

Edit this file , Put its target Change the value of the attribute to the one above url, That is to say
https://github.com/shanfenglan/test/blob/master/Doc1.dotm?raw=true, Then save to exit .

Next, compress the file just extracted and generated , And change the name to suffix docx The file of .

result

Direct double click 1.docx file

It will look like this after opening. We don't care about him , Just click OK , Then click enable content .

Found that the Trojan is online

Then throw this file to vitrual total Check and kill the virus , It was found that only the anti-virus software of two companies thought it was a virus

So the experiment is over .

summary

as everyone knows ,docx File cannot execute macro code , So send docx It's easy for the other party to relax their vigilance when filing , So as to improve the success rate of attack .