Phishing with PowerPoint

Carrie RobertsChevy Swanson //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

How do we make sure people open up our malicious files and execute them? We simply let Microsoft work for years and years to gain people’s trust, then we throw some dangerous macros into a powerpoint and people will actually have a smile on their face as they open it.

This other great blog post goes into more detail on the macros themselves and how to evade antivirus. This blog post ads a trick to get the macro to run as soon as the file is open without requiring additional user action, such as clicking or generating a mouseover event. This is a hack needed specifically for Powerpoint because it does not provide an Auto_Open or Workbook_Open option like Microsoft Word and Excel provide.

This blog post will cover how to get your macro to run as as soon as they enable macros via a nice little warning banner at the top of their screen.

First things first, we need to open our powerpoint presentation and add the “DEVELOPER” Tab if it isn’t already there.

In the developer tab click the “Visual Basic” button on the far left and that will open up a new window. Next, go to Insert>Module and here you can add in your macros. For this example we will open a message box.

Or, if you just want to copy the text for yourself:

Sub Run_On_Open()

    MsgBox “Run_On_Open just ran”

End Sub

Of course, if this had been an actual malicious attempt, you would have put your antivirus evading payload here instead, as shown in Sally’s blog post.

Save the powerpoint as a .pptm file and close it for now. Now there is the fast way and the barely slower way to do these next few steps. The fast way being the use of a program called CustomUI Editor which you can find a tutorial on how to use it for this purpose here. We can’t recommend the use of any random .msi file, so instead we are going to go through the more manual option.

First, you will want to unzip the powerpoint file into its own directory, then you will need to edit the _rels/.rels file to add this line right before the last </Relationships>:

<Relationship Type=””

Target=”/customUI/customUI.xml” Id=”Rd6e72c29d34a427e” />

Next, you will need to create a new directory on the same level as the _rels directory.

Create a file named customUI.xml in this new directory and add the following text:

<customUI xmlns=””

onLoad=”Run_On_Open” >


Zip your files back up. If you are on a mac, make sure you exclude the .DS_store files.

zip -r newRunOnOpen.pptm . -x “*.DS_Store”

Make sure you name it with a .pptm extension since the powerpoint must be able to load the custom ribbon we created. Your macros should now run upon opening of the powerpoint (once you enable macros).

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!