Combining a Metasploit payload with a Microsoft Excel or Word document involves leveraging Office macros to execute shellcode, a technique designed to evade antivirus detection by appearing as a legitimate document. The process requires generating the shellcode, embedding it into a macro, and tricking the user into enabling content. Launch the Veil Framework by typing veil in your terminal and select the Evasion module by entering use 1. You must select a payload that generates raw shellcode, such as python/shellcode_inject/flat or c/shellcode_inject/flat, rather than a standalone executable. Configure your network settings by setting LHOST and LPORT to match your listener. Generate the payload, and Veil will provide a directory path containing a text file holding the raw shellcode in a format like C or Python.
Next, open Microsoft Word or Excel on a Windows machine to create your decoy document. Go to the “View” tab, click “Macros,” and create a new macro named “AutoOpen” (for Word) or “Workbook_Open” (for Excel) to ensure it runs automatically upon opening. In the VBA editor, you will need to insert code that allocates memory and executes the raw shellcode you generated in Veil. This often involves using Windows API functions such as VirtualAlloc and CreateThread to inject the code directly into the document’s memory space.
Once the macro code is inserted, save the document as a macro-enabled format, specifically .docm or .xlsm. In a separate terminal on your Kali machine, launch Metasploit with msfconsole and set up a handler by entering use exploit/multi/handler. Match the payload, LHOST, and LPORT exactly to those used in Veil, then type exploit. When the target opens the document and enables macros, the hidden code executes, establishing a Meterpreter session.
