Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Greg Linares (Laughing Mantis) Profile picture
Greg Linares (Laughing Mantis)
@Laughing_Mantis
20+ yrs in Infosec. Cybergoth. Musician. Autistic. Art @MalwareArt. 4x Pwnie Nominee. Red Teamer. 𝕍𝕏. Chronic Illness Fighter. I love Smite, Gamedev & Synths

Jul 1, 2020, 9 tweets

So for today's lesson in C2C for #VBA I will be discussing abusing the AddWebVideo method.

This feature is literally for (surprise) adding videos inside documents.

However it is one of the most overlooked ways to implement C2C or exfil

#VBALostArts

AddWebVideo has 3 parameters that are partial to abuse for C2C and exfil (among other things).

EmbedCode, PosterFrameImage, and URL being the ones we are interested.

However they each have their own behavior and benefits.

Starting off with EmbedCode this variable accepts HTML content that is to be rendered within MS Office

So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)

Something like this gets the job done:

The second parameter that can be abused is PosterFrameImage, and is likely the best candidate for today's topic on C2C abuse and exfil.

This will grab a image from a remote resource download it and then store it within the document as a place holder for the pre-rendered video

Using Fiddler we can see these requests to the Youtube resources I used in the examples:

This is nearly identical to the yesterday's example complete with inaccurate Word version in the request.

Url parameter acts similarly to the PosterFrameImage parameter.

However there are some small but interesting details that make the image option much better - I will come back to that in the future.

So what can you do with these embedded videos for c2c you ask?

Well, one nice feature is the embedded videos are not blocked by macros - so they can be used to instruct users to disable macros.

Enabling macros would then execute code to change the video.

Changing the video by modifying the Hyperlink object's Address property and then executing them via the Follow method will actually execute a full browser execute on a URL (outside Word).

This could be used by C2C to confirm delivery and to set phase 2 of VBA code.

In a future discussion I will discuss how successful VBA malware & pentesting tools need to be multi-phase to evade analysis & forensics.

so TLDR; of this thread abusing VBA code to make HTTP[S] requests via Word itself without calling Win32 or VBA HTTP code to evade detection

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling