> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros.md).

# Inject Macros from a Remote Dotm Template

This lab shows how it is possible to add a macros payload to a docx file indirectly, which has a good chance of evading some AVs/EDRs.&#x20;

This technique works in the following way:

1. A malicious macro is saved in a Word template .dotm file
2. Benign .docx file is created based on one of the default MS Word Document templates
3. Document from step 2 is saved as .docx
4. Document from step 3 is renamed to .zip
5. Document from step 4 gets unzipped
6. .\word\_rels\settings.xml.rels contains a reference to the template file. That reference gets replaced with a refernce to our malicious macro created in step 1. File can be hosted on a web server (http) or webdav (smb).
7. File gets zipped back up again and renamed to .docx
8. Done

## Weaponization

Alt+F8 to enter Dev mode where we can edit Macros, select `ThisDocument` and paste in:

{% code title="Doc3.dotm" %}

```javascript
Sub Document_Open()

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc"

End Sub
```

{% endcode %}

![](/files/-LaHsr9Df6zSyClDXreO)

Create a benign .docx file based on one of the provided templates and save it as .docx:

![](/files/-LaHtw6A6pSqS8yRT_4D)

Rename legit.docx to legit.zip:

![](/files/-LaHuXVOCz0pu04UlGl4)

Unzip the archive and edit `word_rels\settings.xml.rels`:

{% code title="word\_rels\settings.xml.rels" %}

```markup
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="file:///C:\Users\mantvydas\AppData\Roaming\Microsoft\Templates\Polished%20resume,%20designed%20by%20MOO.dotx" TargetMode="External"/></Relationships>
```

{% endcode %}

Note it has the target template specified here:

![](/files/-LaHwmHfhmC9WmqXqAi0)

Upload the template created previously `Doc3.dot` to an SMB server (note that the file could be hosted on a web server also!).

Update word\_rels\settings.xml.rels to point to Doc3.dotm:

![](/files/-LaI0x6LlzkBHXCcae2k)

Zip all the files of `legit` archive and name it back to .docx - we now have a weaponized document:

![](/files/-LaI2n9iw2zGOJSlqKFI)

{% hint style="info" %}
Note that this technique could be used to steal NetNTLMv2 hashes since the target system is connecting to the attacking system - a responder can be listening there.
{% endhint %}

## References

{% embed url="<http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html>" %}
