Advanced MacroPack payloads: XLM Injection

How it is possible to inject and run Excel 4.0 macro in memory from a non Excel format payload (ex Word, HTA, Help files,...). How to generate using MacroPack Pro.

Article published on 18 September 2020
last modification on 22 November 2021

by Emeric Nasi

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

1. About

While developing MacroPack Community and Pro version I have been searching for nice existing or new ways to generate advanced payloads.
I have been working recently into integrating EXCEL 4.0 Macro (XLM) into MacroPack Pro.
XLM payloads are not something really original, however I managed to combine XLM macro with other mechanims to allow the usage of XLM macro from a non Excel file.
Let met show you how to run XLM from Word, PowerPoint, HTA, or even shortcuts and non VB based files.

I call this technique XLM injection.

Note: In this post I explain some XLM injection mechanism but I will not provide the generator source code since its features of MacroPack Pro which is a commercial tool for redteams legal use only.

2. Some prerequisits

To understand how we can inject XLM we need first to understand other mechanisms not related to XLM which allows to inject regular VBA from non VBA capable file types.

2.1 Excel Injection

I call Excel injection the mecanism happening when a non Excel payload opens Excel in the background via the Excel.Application COM object and inject VBA code inside it.
The payload will then run it from the background Excel application. It can be pratical if you need to call win32 functions from vbscript, it also bypasses AMSI.

This mechanism is included in MacroPack Pro, it is accessible via any payload able to run VBA or VBS code.
For example, the video below shows how to generate an HTA payload able to run a shellcode via Excel injection, in this case a Meterpreter shellcode.

Here is the command line used to generate this payload:
echo meterx86.bin meterx64.bin | macro_pack.exe -t AUTOSHELLCODE  --run-in-excel -o -G samples\nicepic.hta

The drawback with this VBA injection inside Excel is that it requires access to Visual Basic Object Model to inject the VBA.
Since this access is disabled by default the payload has to set AccessVBOM registry key to 0 before injecting the code and set it back to 1 after.
This can leave some traces and could be prevented/detected.

2.2 HTA macro

Now we know how we can inject VBA code in Excel from another application, lets show how we can run VBscript code from any format which is able to execute a simple command line.
In MacroPack pro, this is achieved via HTA format property (it could also be done via powershell but HTA is more original).

This mechanism is described in a previous post (Hacking aroung HTA files) and is automated in MacroPack Pro.

For example, we can generate an LNK payload able to run a shellcode, in this video below a Meterpreter reverse TCP shellcode. HTA macro will first run HTA from inside the LNK file then HTA performs Excel injection.
Here is a video showing that:

This is the command line used to generate the payload:
echo meterx86.bin meterx64.bin | macro_pack.exe -t AUTOSHELLCODE -o --hta-macro --run-in-excel -G samples\my_shortcut.lnk

Note: You don’t need to combine Excel injection with HTA macro, HTA is already very powerful by itself. However HTA vbscript cannot be used to call Win32 api such as VirtualAlloc that are used by the shellcode injection template. This is why —run-in-excel is required to run MacroPack AUTOSHELLCODE template from a VBS/HTA based format.

2.3 Excel 4.0 (XLM) payloads

If you don’t know what XLM is, please read this previous post.

3. XLM Injection

3.1 Run XML from outside Excel

To run XML from Word, PowerPoint, or Visio I reuse the "inject in excel" principle but instead of injecting VBA I create an international macro sheet and inject macro into its cells.

Here are the steps to perform XLM injection:

  • Create an Excel.Application object
  • Add a Workbook
  • Add a macro sheet to this workbook
  • The content of the XLM cells which are stored in a VBA Dictionnary object are copied in the new Excel 4.0 macro sheet
  • Name the starting cell "Auto_open" which will make it the macro starting point.

To run the macro, the run() method from "Excel.Application" COM object is used.

Here is a the MacroPack command line to generate a word payload displaying a "Hello" message via XLM injection:
echo "MPPro" | macro_pack.exe -G _samples\hello.doc -t HELLO --xlm --run-in-excel

Look at the screenshot below, you see Excel running in background and displaying the window with "MPPro" message.

3.2 Run XLM from outside Office

Its as easy to generate an XLM injection payload from other VBS based formats.
MacroPack has a basic internal VBA to VBS translator so the feature also works with all VBS formats supported by MacroPack (such as .hta, .sct, .vbs, etc.)

Same command line as above but generating a vbs payload:
echo "MPPro" | macro_pack.exe -G _samples\hello.vbs -t HELLO --xlm --run-in-excel

3.2 Run XLM from non VBA/VBS formats

We can combine the "Run in Excel" and "HTA macro" concept to run XLM payloads from other formats such as shortcut (.lnk), help files (.chm), visual studio projects (.csproj), etc.

I uploaded a video to show how MacorPack Pro can be used to trojan Dbgview help file with a payload running a meterpreter shellcode via XLM injection

Here is what happens when DbgView.chm is opened in the video:

  • Command line is automatically run
  • Mshta is called to trigger HTA macro inside Dbgview.chm
  • HTA script opens Excel.Application object in background and inject XLM code in memory
  • XLM macro is called in memory. It executes a shellcode injection routine
  • Meterpreter shellcode is ran in memory

Here is the command line used to generate the payload:
echo meterx86_no0.bin | macro_pack.exe -t SHELLCODE -o --hta-macro --run-in-excel --keep-alive --xlm -T samples\Dbgview.chm

4. Interresting things about XLM injection

4.1 Extremely low detection rate

I ran a few tests with installed version of some antimalware solutions to see if XLM injection is less of more detected than a classic VBA macro or a VBA Excel Injection.
There where 0 detection of those kind of payloads for the AV I tested.
The thing is, regular Excel with XLM payloads are already not really well detected, but in the case of XLM injection, the macro sheet only exist in memory and is never scanned by the AV.
Also since XLM are not yet covered by AMSI there is no easy mechanism to detect it in once its running in memory.

4.2 Less interaction with the system

The Excel 4.0 macro sheets are not prevented by restrictions such as those limiting VBOM access.
This means XLM injection does not require to tamper with registry leaving a lower footprint then regular Excel injection.

5. To sum up

Its always fun to dig into new ways to deliver a payload and its very interesting to combine technologies from different times in history.

Concerning technical details, I will not provide source code but do not hesitate to DM me on twitter (@EmericNasi) or email me at emeric.nasi[ at ] if you want to talk about this or if you want to know more about MacroPack Pro.

However before you contact me please be aware about the next statement:

MacroPack Pro shall be used only in the context of a redteam engagement, penetration testing, phishing simulation, or other form of security assessment with the lawful and formal authorization from the Target System owners. It is the User’s responsibility to obey all applicable local, state, federal and national laws.
Also please note that I will not answer to any anonymous inquiries concerning MacroPack Pro.