Bypassing Gmail Attachment Virus Check

Note: This was posted in January 2016

So today whilst doing some practice on creating trojanised Microsoft Word documents, I came across an issue. Gmail by default has a virus check on attachments if you want to send a malicious attachment out.

To insert a payload into the word document, I firstly created a template which looked like the below.

After doing so, creating the macro using AutoOpen and Document_Open was trivial. I made use of a powershell one liner payload along with process creation to launch powershell using an encrypted Payload. Using Powershell Empire’s default copy and paste macro stager, this is detected.

Sample payload:

What I did was begin removing lines of code and kept uploading repeatedly to Gmail attachments until it would no longer detect it as a virus.

I made adjustments to the payload trying to identify which string or pattern the AV was picking up. I quickly realised that it was the fact that the “-Enc” was part of the payload.

To resolve this, I split the “-Enc” string into “-E” and “nc” then concatenated it together. For example:

This would be translated to the following:

However, this technique did not work. My next approach to thinking about it was that the “Yops” string is checked at the end after all the concatenation to determine whether “-Enc” is followed by “powershell.exe”. Therefore what I did was the following and it bypassed the virus checks.

This quickly bypassed the antivirus feature on Gmail’s attachments and I was able to send the payload to my other machine for testing.