Update doc

wchen-r7 · wchen-r7 · commit 7ec5ec6442a0 · 2017-02-16T12:39:24.000-06:00
diff --git a/documentation/modules/exploit/multi/fileformat/office_word_macro.md b/documentation/modules/exploit/multi/fileformat/office_word_macro.md
@@ -1,3 +1,4 @@
+
 ## Description
 
 This module generates a macro-enabled Microsoft Office Word document. It does not target a specific
@@ -8,10 +9,6 @@ There are many ways to create this type of malicious doc. The module injects the
 payload in the comments field, which will get decoded back by the macro and executed as a Windows
 executable when the Office document is launched.
 
-Please note: By default, Microsoft Office does not execute macros automatically. If a macro is
-present, the user will most likely need to manually click on the "Enable Content" button in order
-to run the macro.
-
 
 ## Vulnerable Application
 
@@ -23,10 +20,11 @@ Specifically, this module was tested specifically against:
 * Microsoft Office 2010.
 * Microsoft Office 2013.
 * Microsoft Office 2016.
+* Microsoft Office Word 15.29.1 (161215).
 
 ## Verification Steps
 
-1. ```use exploit/windows/fileformat/office_word_macro```
+1. ```use exploit/multi/fileformat/office_word_macro```
 2. ```set PAYLOAD [PAYLOAD NAME]```
 3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc)
 4. ```exploit```
@@ -62,3 +60,38 @@ While editing, you should avoid modifying the following unless you are an advanc
   in front of the payload string. The blank space is for making the payload less obvious
   at first sight if the user views the file properties.
 * The VB code in the macro.
+
+## Trusted Document
+
+By default, Microsoft Office does not execute macros automatically unless it is considered as a
+trusted document. This means that if a macro is present, the user will most likely need to manually
+click on the "Enable Content" button in order to run the macro.
+
+Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
+the user into allowing the macro to run. For example, making the document look like something
+written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
+
+To truly make the macro document to run without any warnings, you must somehow figure out a way to
+sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
+
+For testing purposes, another way to have a certificate is to create a self-signed one using
+Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
+Windows:
+
+```
+C:\Program Files\Microsoft Office\root\Office16\SELFCERT.exe
+```
+
+In Office 2010, the self-signing tool is actually an option in the Office tools folder in the
+start menu. It should be named "Digital Certificate for VBA Projects".
+
+Double-click on the executable, enter a random name and click "OK", at this point you have a
+certificate to play with.
+
+Next, we want to flag this certificate as trusted:
+
+1. Click on Start, and then enter "Internet Options".
+2. Click on the Content tab, and then click on the Certificates button.
+3. You should see your new certificate under the Personal tab, export it.
+4. Click on the Trusted Publishers, and then import your personal certificate.
+5. Try the macro exploit again, it should run the malicious code without warning.
