Launch a Client-Side Attack Using Excel Files

June 23, 2016 | Views: 10008

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello Cybrarians, once again,

In this article, we’ll discuss client-side attacks with Excel files.

Client-side attacks are always a fun topic for attackers today. As network administrators and software developers fortify the perimeter, pentesters need to find a way to make the victims open the doors for them to enter the network.

Client-side attacks require user interaction, such as enticing victims to click a link, open a document or somehow get to your malicious website.

This attack is based on real life scenario.

Companies are trading and sharing documents every day, but I don’t believe they’re aware of the threats associated with their actions or they just don’t take it seriously. What can I say 😛


Tools we’ll use:
1) Veil-evasion
2) Macroshop
3) Metasploit, Armitage or Cobaltstrike. Let’s stick with Armitage just for the visual effects – they’re nice, huh 😛

All tools can be found by searching on Google.


Methodology of the attack:

We’ll create a Excel file where macros will be enabled. What are macros? Macros are “mini-programs” that you create within an Excel worksheet. They’re just a series of commands given in a certain order that Excel remembers. For more details, please search Google.

In our macro command, we’ll add a shellcode generated from veil-evasion. Before we add it to our Excel file, we “process it” with macroshop. You’ll see what I mean later on.

NOTE: We may have to use our social engineering skills to convince the victim to enable the macros (by default, they’re are disabled). Otherwise, our attack won’t work.


The practical part:

Run veil-evasion and create a powershell/meterpreter/reverse_https payload

Move that payload to Desktop for easy access.

image 1










image 2


Now, let’s use macroshop for the final result of our shellcode and add it to a .txt file for easy access later on.

image 3


The next steps:

We’re done with the shellcode generation. Now, we need to add it to our Excel file. Let’s move to our Windows machine – but first, we have to adjust a few settings on our Excel sheet.

Choose the file –> setting –> customize ribbon –> and tick the developer tab on the left

image 4


Afterwards, we’ll see a new menu tab on our sheet named Developer. We need to go there. Then, go to  Virtual Basic on the left. Next, to ThisWorkgroup, where we’ll paste the content of the cybraryIT.txt we created previously. After that, save the file as an Excel macro-enabled workbook.

image 5

image 6

image 7

image 8


Now. we’re done with Excel. Let’s go back to our pentesting machine, run Armitage and load multi/handler to catch any connections.

image 9


See the notification on the victim’s machine about disabled macros.

image 10


After the activation of macros, we’re able to get a meterpreter shell and own the machine. That’s it.

image 11


Hope you liked it. If you have any questions or comments, please use the form below.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Very cool
    I appreciate the info ..

Page 4 of 4«1234
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 742 / December 14, 2019
How do I Get MTA Certified?
Views: 1314 / December 12, 2019
How much does your PAM software really cost?
Views: 1751 / December 10, 2019
How Do I Get into Android Development?
Views: 2141 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?