Offensive VBA 0x1 - Your First Macro

hey guys hack exploit here back again with another video and um you know this video as well as um other videos on the same subject we're going to be exploring um you know the process of developing uh VBA macros for you know red teaming or offensive security generally speaking and this as you know sprung up from one of the videos that I made regarding um the first phase of emulating finix where we UTI ized metlo module to automate the development of the word macro document that uh was to be used for initial access so this will be a longstanding series or you know it's essentially going to consist of more than one video and go beyond just creating you know documents or macro enabled documents for initial access so uh you know to begin with as the title suggests we're getting started with a very Basics and again for those of you who are familiar with this you know you can skip um this particular video in the next set of videos we'll be exploring you know various things so you know reverse shells um droppers creating uh VBA macro uh droppers if you will or utilizing Powershell um you know there's a there's quite a bit of stuff that we can do so this is going to be offensive gear however this particular video will not have any offensive uh connotation although I will highlight something towards the end so to begin with what is VBA well VBA stands for you know Visual Basic for applications um what is it is an interpreted programming language that was uh that's developed by Microsoft that essentially allows users uh who are using you know Microsoft Office to automate tasks um you know customize the functionality and of course enhance productivity within the Microsoft Office Suite of applications like um you know word excel PowerPoint um so that begs the question like with any programming language what is or what type of programming language is VBA well VBA is an interpreted language which means that uh the actual VBA code or your macro is executed line by line uh by the host application this will either be word or Excel um at runtime so there's no compilation or anything like that and uh you know this obviously differs from um you know the compil languages where the code is uh translated into machine code by compiler before the actual execution um there's some other characteristics um that I think are important for you to know one uh you know one being the um the fact that VBA also supports elements of um object-oriented programming so that's why you'll see stuff like objects properties methods and events which uh you know at the end of the day allow you to write modular and reusable code uh this will become apparent because you know when we'll be doing things like uh calling functions or sub routines and stuff like this you know it pretty much follows the objectoriented uh model and uh yeah so you know a few more things you need to know about it you know what is it used for typically right I'm not saying from an offensive perspective but uh it is generally widely used for automating as I mentioned repetitive tasks you know creating custom tools uh analyzing data it's very it's actually used quite a bit there and building automation so if you've ever used an automated spreadsheet uh to do your you know tax calculations then you know macros were used there um so that now takes us or brings us to the actual syntax and uh usage um as well as the development environment so uh the great thing about VBA is it's very similar to other programming or scripting languages like Visual Basic and basic itself and uh pretty much utilizes a combination of keywords operators variables and uh control structures now for the development environment you may not know this if you have uh pretty much office installed on your computer uh each Office application that supports macros contains a built-in VBA integrated development environment or an IDE that can be used to write edit debug and run VBA code or macros as we're going to call them so that then begs the question what on Earth is a macro leave alone a VBA macro well in the context of VBA macros are small pieces of code or scripts written in VBA that can be used for Automation in conjunction with the office suite of program so simply put a macro is VBA code that's embedded in an office document now before we actually get into you know uh writing some VBA code I need to give you some history um of VBA or macros as it were uh in relation to you know uh the office suite of uh tools or programs so the uh VBA or

macro functionality was introduced a while back you know in the '90s um and uh in the late 90s it uh began being uh you know you started seeing or Microsoft themselves started seeing that it was actually being abused and the reason it was being abused primarily was because you know in those days the office um office file macros or office macros were automatically executed when you opened the document or the worksheet by default so there was no prompt that prompted the user to enable um or to run the macros which was you know in hindsight looks like a pretty dangerous thing but obviously they had to learn that um now as of Office 2003 I believe uh this default execution of macros was changed or disabled and as a result of that mcro enabled documents would uh you know inform users or prompt users uh or you know it'll firstly tell them that hey this is a macro enabled document but then would require them to manually execute the macros essentially um you know taking the liability or responsibility away from um from office or Microsoft themselves in other words what they were telling users is we'll tell you that this is a macro enabled document uh execution of the macros is entirely your uh responsibility now in Microsoft uh Office 2007 they expanded on macro security by creating a new set of file formats uh that prevented macros from being embedded in the default file format on the or the new default file format so in 2007 or the release of that particular uh version of office they created the docx the new docx uh file format which does not allow the embedding of macros so prior to that you had um your DOC format and then your doc M docm was the you know macro enabled uh file format or extension um and then after 2007 or the release of Office 2007 you had doc x uh and of course this applies to all other office suite of program so if it's Excel it would be uh instead of excels XLS it would be xlsx right um so now you have docx which is you know standard compressed document format you havex which is a compressed template format if you're creating a word template you then have docm which is the macro enabled document uh format um and then M which is a compressed um uh template format andm and docm are the only file formats at least in the case of word uh that allow or permit macros um you know in terms of them being embedded in the document so one final thing I need to just point out here and I know this is quite a lengthy intro section is that the extension or format plays it really does not play any role in the validation process and this is because data validation is performed prior to opening an office file regardless of what file it is so office performs data validation through uh the data structure identification or through data structure identification against the um I believe uh what's it called the office open XML standard and this validation this uh this data structure um validation or data validation is handled via the WWI lib uh dll um file or you know the actual dll and uh you know final thing I need to mention which I think is quite important a lot of people don't get this but changing documents that have the docm extension so let's say you created a fishing uh document that of course has the docm extension if you change it to something like dockx yeah the you know the macros will pretty much be stripped so you know that's uh not a reliable uh um strategy and that's why you know as we progress in in this particular series as well as the other resource development series um you know in this one we'll be exploring ActiveX and stuff like this so that brings us to the Practical section so I'm currently on a Windows 10 system doesn't matter as long as you have U you know a system at least a Windows system that has office installed you should be good to go we're not going to do anything malicious right now but if you want to follow along you can um so let's get started with the basics I'm just going to close uh word here and uh we're going to use word in this case you know we'll we we'll obviously explore uh Excel and stuff like that there really isn't um any difference or not much of a difference but to get started you want to open up office and um this is I believe office 2016 which should work pretty much any version from 2007 would work just the same although VBA has different versions but again I don't want this video to take to long so first things first you

need to go into options go into customize ribbon and make sure the developer tab is enabled because that allows you for uh allows you to quickly access um you know macros um or the actual IDE the VBA ID which you can actually access via keyboard shortcut uh you then want to go into your trust Center and again uh if you're doing this on a um on your actual daily driver make sure to disable this I would highly recommend you do this within a Windows um virtual machine because uh we're going to be clicking on enable all macros now again this is dangerous but we're you know this is a testing environment and we want our documents to execute them without uh you know any of these notices right over here so you know disable ma all macros with the notification that's when you get uh the enable content or um enable macros Banner at the top of the document but we want to disable that for now so once you've done that just hit okay and now I'm going to create a new document and I'm going to save it as um I'll go and save it onto my desktop here and I'm just going to call it um uh we we'll just call it uh doc one but now instead of Doc X remember we want to go for the macro Ena document format which is Doc M you can see the old document format was Doc 200 Office 2007 comes along and we have docx um which you know is uh you know that does not allow for macros but you know there can be interesting stuff done with this one here but I'll get to that um anyway docm save it and uh now you know for those of you are familiar with macros you you've worked with them before you know that you head over into the developer tab and you click on Macros uh you can also access the IDE by using the old f11 keyboard shortcut which will take you into the actual IDE um but we want to go into macros and now we have the ability to you know create a macro uh but we want to specify the you know the macros in this current document so we don't want to create Global macros um so we now provide it with a name and I'm just going to call this basic you know very simple or you know uh we'll call it basic um VBA something like this and we click on create okay so that'll take you directly into the IDE um now uh you know getting started there's a there's something you need to I want to explain the structure of the this particular ID so uh right over here um you have your code window right uh so this is where you write your macro and then on the left you have your project Explorer so firstly you have the normal um the normal project which applies to this is essentially you know Global configuration or macros if you will but then you have this project which applies to the document that you're currently working on and under modules uh this is where you put your Macros so what is a VBA module well u a module is in VBA is essentially a just think of it as a container that holds your code uh and this will of course include procedures um which are essentially sub routines um and functions uh you know variables uh pretty much your macro you know they'll be held in a module you can have more than one module um or you can have a single one doesn't really matter so um over here we have one um called uh new macros you can see and uh we already have a declaration uh a sub routine uh declaration here called basic VBA which we created so that's referring to that particular macro uh you can also insert new modules by right clicking on modules and then saying insert you can insert a module or class module so this is where the objectoriented aspect of VBA comes into play but we'll not do that for now so first things first you can see uh that it presents us with a basic boiler plate here and I'm just going to increase my font size so you can see this a little bit better just give me a second all right so there we are um just increased it to the max you can change this by going into tools options and then uh the editor format where you can change the font size the foreground um color background indicator etc for you know various aspects of the actual editor here so the normal text selection text Etc so you know uh if you wanted to make it a dark theme you can do that as well so um right over here we're presented with two key aspects of the syntax so you have sub routines which are defined using the sub keyword and then the name of the sub routine um so what is a sub routine is a block of code that you know it operates very similar to a function if you've you know if you've programmed before however there's one key distinction and that is that it performs a task but does not return a

value or you know does not allow for returning of values um you can also call them directly by name uh you know in another sub routine and they're typically as I said used to perform action so if we want to do something you use a sub routine now if you want to do something but you know require the ability to return a value then you would use a function and we'll get to that shortly so first things first you can see uh we also have comments here so comments are denoted using the single quote so if I wanted to you know type in a comment I could say this is a comment you know something like this and that uh you know is a comment but we don't need that right now and you can see in terms of the syntax when you start a sub routine you also have to end it to you know essentially uh tell um uh The Interpreter you know when uh it starts and when it ends obviously um and uh yeah so this is what we have um and uh you know for example just to show you what we can do um we can use a message box and uh I'll expand on this but we can just say you know this is a message right or this is a uh sub routine in VBA and that will use the message box functionality so we can now save and you can use uh F5 to run or f8 to debug so if I hit um you know f8 on my keyboard uh I can then step through um you know uh and I can set break points if I want but we can just run it and you can see this is what the macro does um right over here just you know brings up a message box and prints out the text there so this is you know uh sub routines and uh comments as well as the message box functionality if you will um so let's talk a little bit about functions right cuz I mentioned them um so functions again work exactly the same as uh logically speaking as a sub routine would however the only difference is that they return a value to the caller um so um the advantage of this is fairly obvious you know given the fact that they return a value functions can be used in expressions or assigned to variables so for example uh I'm going to create uh will you'll just call this basic VBA here we'll get rid of that so we have a sub routine there we're then going to create a function you create a function using the function keyword so function and then the name of the function in this case we're going to say add numbers and then we're going to you know um pass in uh you know we're going to specify the actual values to be returned so we're going to say a as um integer so this is how again we're not we've not yet got to uh variables but I'm just going to declare them here so a as integer um b as integer so we're just going to add two numbers this is a example I always use and then the type is as integer right and then you can see the ID automatically uh formats that for you or uh you have completion there um so what we're going to do now is we're going to just say um add numbers and that's going to be equal to the expression a plus b all right so now uh you can see you know this function allows for values to be passed uh into it and then um that function is ended there now in the sub routine here we can say uh dim result so we'll just create a new variable you create variables using the dim keyword and uh the type is specified like so um as integer the data type and then we say uh result so the variable result is going to be equal to and then we call add numbers and then we pass in the values we would like to add so I can say 10 and 30 or 10 and 40 right something like this and then we can say uh message box uh we can use the message box right of here and syntax is very important or the case um and we can then say um you know the sum is and we can then concatenate you know very similar to other languages so we'll say result and now we can include or we can start to add some color to the message box but before we do that let's just save it and I'm going to run it now so it's going to ask us for the macro we want to execute so we'll just hit run and you can see the sum is 50 now what if we wanted to change the message box title or heading here to something else well in order to do that we can specify a few more parameters here um where we essentially Define the message box so we can uh call upon VB information uh and then specify what we want as the title so we can just call this uh adding numbers something like

this and then uh we can hit run and there we are you can now see the title um is now you know adding numbers and we get that there so um obviously now this brings us to the whole point uh of uh the sub routine execution and uh calling sub routines so um you know we can have more than one sub routine or function and the question is how do we call them so what I'm going to do now is uh let me get rid of that and we're going to delete this function right over here so still under the sub routine uh basic uh VBA so let me create another one um I'm just going to call this sub uh or we can just change the name here uh hold on a second let me get rid of that uh we can just change this to uh let's call it uh first uh procedure something like this and uh then we're going to create another one so subc procedure um and I'll explain a little bit more about the execution of macros um and then we can you know utilize a message box here to say second procedure was called all right and uh in here to call it we have to say call second procedure if there were any uh values you know we would specify them but these are not functions so we hit run and you can see the second procedure was called now if we don't call and we hit run you can see nothing happens and um I'll explain why this happens um and uh the the best place to start is to mention that VBA does not have like you know in other programming languages the main function or you know procedure and uh what that means is that execution must start or will start from a either a call to a procedure like we did here uh either manually you know um via the immediate window or through a button uh and of course this is limited just to VBA or through event handlers and I'll speak about the event handler that is typically used by Red teamers uh or at least in the context of malicious macros to essentially get the macro to execute when the document is opened uh of course you know if the target has a macro security enabled they will still you know be prompted with the yellow uh Ribbon or Banner at the top asking them explicitly as to whether or not they want to run the macros or enable macros so hopefully that makes sense now I don't want to get too bogged down into this at the moment cuz we'll be exploring this you in the next videos when we actually creating actual uh VBA macros for you know red teaming whatever uh but I want to talk a little bit about um variables cuz I sort of brushed over them but you know variables are fairly easy to understand and hopefully I can Breeze past this really quickly so um as I mentioned a couple of minutes ago um variables are declared using the dim keyword right so just simply like that now uh variables can be declared explicitly uh however that's really not recommended so that's what you see in something like python where you know I can create a variable one uh or you know in this case uh we can just call it my variable and I can say that's equals to 10 that's an um an implicit declaration uh which again pardon me if I said That explicit declaration is um is not recommended it's implicit uh declaration that is not recommended so this is um implicit declaration I'll just use a comment there and of course my syntax I'm so used to writing python uh I have to go back to my um my old uh one second what am I doing there I'm using uh one the single code so implicit actually you can my bad so there we yeah so anyway um I'm just going to uh that and uh there we go uh all right so that's implicit uh then of course you can have uh actually let me just call this VAR a um then you can have um explicit declaration which is the correct way so this is where you say um in this case did I indent correctly uh yes I did okay so this is where you

know you say dim um and then we can say variable B and then you specify the data type in this case it's going to be an integer we'll just you know as an example and then you can specify the value um or assign a value so I can say varb um is going to be equal to 20 right um fairly simple uh now you can also create local variables um you can create local variables or Global uh so if you want uh local variables local to a specific uh sub routine or function then uh you can you can essentially do that by saying um you know dim uh local I'll just create one here called local variable as string that's the other data type so I'll talk a little bit about data types but for now you know and then I say uh local VAR is going to be equal to and then a string value so I can say local variable okay so that's uh variables how to declare them and then of course if you're doing a global variable declaration um then you know you would uh essentially declare it uh at the top of a module so for example before I get into a procedure or sub routine I should say so you would say public um global uh global uh variable um as string okay and uh you can then assign it to the value so if you wanted uh or you can call it in here so for example I can say um Global variable is equal to Alexis um like so and then I can say message box um VB uh info and just say uh right over here global variable okay there we are so that's Global and then you know local uh as well uh so hopefully that makes sense um now for the data types you have the integer you have the long single double you can also do currency um then you have string Boolean very useful uh date uh and the objects uh now I'll get into objects in the next set of videos because they you know essentially relate to the features and functionality within office itself uh but now let's move on to some final set of examples around printing text or manipulating text if you will um and then we'll talk about user input and then finally some key uh event procedures in VBA like um Auto open and how they're used and you'll see the importance of that so uh let's you know talk a little bit about printing um or using the message box which I've already shown you so I've also shown you how to specify the message uh with a title but now let's say you know I want to uh I'll just create a new sub routine here and we'll just call it uh message uh with buttons okay and uh we'll create a variable call response as integer and then I'm going to say response is equal to um message box so user input so we can say do you want to continue uh something like this right and then uh we can then utilize VB yes no for you know to essentially provide us with a prompt there so VB yes no and then plus uh VB uh question um and then we just say confirmation that you'll see what this means shortly um and yeah don't think we need to include anything there hold on yeah single quote we want a double there okay and then we can say we can now you know explore um some control statements so you know for example if statements uh in this case we would need one it's very simple so we say response is equal to vbes uh then do the following if I can type correctly today so then and then we say message box um and you can use message box with um you know brackets here uh or without them it really doesn't matter so we can say you chose yes okay so something very stupid and simple like this and then else um you chose no all right uh and then to end the uh the if statement we say

and if this is uh required so now we run this and you can see do you want to continue we have two options yes or no that is why we utilized a VB yes no and then you know VB question um and we specified the title here which is confirmation so we say yes and then you chose yes very simple very powerful as you can see I don't think for those of you who are new to this did I'm pretty sure you didn't know just how powerful VBA is or you know the only constraint is that it's just limited uh to um The Office programs but that's why we have VBS anyway that's getting ahead of what I wanted to talk about so uh we can also you know utilize um you know a combination of icons and buttons so for example I'll just create a new sub routine here called uh we'll just call it uh Advanced message or something stupid like this um and in here we can say uh message box and uh we can say if I wanted an error or you know critical error I can say something went wrong or something to that effect and then we can say VB critical um and uh in terms of our options for the user and what they can then respond with we can say VB uh okay only I believe uh VB um let's see was it VB okay only yeah it was VB okay only um and this is not supposed to be another option uh my bad so VB okay only yeah I know that thank you very much um and then we just say error or something like this so we run it and you can see something went wrong so there's a lot of stuff you can do that you know utilizes windows or allows you to you know uh utilize uh the GUI or GUI elements now uh let's take a look at a few more cases or examples revolving around um you know user input so if I wanted to utilize an input box I could say um I'll create a new sub routine here called U input box um uh there we go and then in here we'll create a new variable called username and we'll say this is a string and then we say username variables need to have the correct name and then we can say input box and then in here we say you know what our message is so what is your name and then um user input uh and then we uh sorry my bad uh no we don't want that there so what is your name and then we want to uh close this there and we should be good now and then we can say message box um and we can say hello um let's see space and then concatenate uh username and um let's include an exclamation mark there as well all right so let's write try this here uh where are we getting input oh my bad input box we have the same name there so we can say input box uh example yeah go ahead run it and now you can see I can say my name is Alexis uh actually it should uh yeah made a mistake there my mistakes always so um morphus hello morphus so a lot of stuff you can do uh we've talked about control statements I think one more we can do is a loop I know this video is getting long but uh this will be the last time it does so we can say sub we'll go with the classic printing numbers example um for Loop here so we'll say dim I that's our counter is integer obviously and then we say four um I is equal to 1 uh to five so this is how you say the range and then we say uh message box we want to print it out and then we say a number uh and we just add the count there and then of course we need to um we actually need to switch or increment so we're going to say next I uh for our counter okay run this here number one number two number three number four number five there we are very simple okay uh few more things uh the auto run and um not auto run the auto open and the Open document event procedures so uh what I want to show you now is uh so

you can see that when we run this macro this is what you see right it displays this actually we probably want to get rid of this and just use a very simple message box and just say macro executed to tell us you know if the macro has been executed so we'll just keep it simple so I run this uh there we are macro executed okay so I've saved it let me close the editor and I'm going to save the document close it so what happens when I try and open up this document uh will the macro execute no it doesn't now if even if I went into options and I went into the trust Center and I said uh disable all macros with notification and I hit okay close this up and I open this up again you can see enable content but the macro doesn't run now why is this as well either as I mentioned earlier the you know a specific sub routine hasn't been called or and this is the really key thing we aren't using the auto open and open document event procedures that essentially allow us to when the macro is executed to automatically execute um to automatically execute uh to automatically execute a macro so we can actually utilize uh those predefined uh event procedures uh there's a correct way and an incorrect way so I'll just show you we're going to macros here again so print numbers edit so I can have this here and then um what I can do is at the top of the um of this module I can just say sub Auto open okay and uh we'll just hit enter there we are okay now I've saved it let me close this up and I'm going to open up the document again uh in this particular case uh let's see uh does that bring up anything okay it doesn't excellent so um let me go ahead and uh let me go into this one here so if we now call it so I can say call Print numbers and uh now let's exit there we are so this specific um this specific event procedure is extremely useful in that sense now you can also just avoid creating other sub routines or functions and just do your stuff within Auto openen and you can have another function called or sub routine called Auto open because it's predefined um so you know I can just say message box uh executed with Auto open okay very simple save it exit and then uh run this here there we are so you can actually put all your malicious stuff in Auto open if you want now there's also open document um which is uh similar and uh this is triggered when a document is opened uh and there really isn't any preference I personally find that auto openen is more reliable there's also ones specific to excel which we'll probably explore in a later video uh but yeah one final um example I want to um or one final macro I want to show you just um you know to Peak your attention here is one that will get Windows system information and display it back to us so what we'll do is uh we'll get rid of Auto open here and I'll just create a uh sub routine called uh CIS uh syst info dumper something really vague and then we'll create a new variable called uh object shell and again I'll explain what objects are probably in the next video but it's a data type and then dim um we'll create a new variable here called um execute command as object and we then create another one so dim output uh line to handle output and then dim uh system info as string all right now we're going to we'll use comments a little bit here now so we're going to create the uh shell object all right so I'm going to say uh set object um object shell to an actual objects in this case create object and uh we're going to utilize uh the w script so um W

script. shell and I'll explain that as I said in the next video for now just want to show you how cool VBA is especially when we're talking about Windows really execute the um system info command that I'm sure you're all aware of we can then say set um this to uh object uh yeah object ex shell and uh exac and then we specify what we want to execute so cmd. exe uh command uh system info so that's where we're specifying our Command Prompt command and now we want to read uh the output or get the output as string and uh we're going to use a y so do while not exac CMD do standard output uh at end of uh stream and uh then we say output line is equal to uh exac CMD do standard output uh read line okay and then uh System Info the variables is going to be equal to uh System Info um and output line and then uh we're going to utilize uh I'll explain I'll probably explain this VB uh this is uh line carriage so CR uh for next line and then uh we need to say Loop okay and then we're going to just say display system info in uh message box okay very simple and then we're I'm just going to say uh message box here um that's uh system info and then I'm just going to say VB information and say uh right over here the title is just system information okay let's save this now and we run this and there we are so you can see it gets all that info and in my opinion passes it quite well although not the best uh and it's not everything so it's you're probably um much better off saving this into a file anyway um that's pretty much all I wanted to highlight in this video now that we know what we're doing we're now going to take a look at practical examples so you know uh in the next video most likely command and program execution with shell and W script or you know uh yeah W script and then we'll take a look at building a dropper and then a reverse shell macro all that stuff so uh that's going to be it for this video uh and if you have any questions comments or feedback leave them in the comment section if you enjoyed this video found value in it leave a like down below and I'll be seeing you guys in the next video