The high-level goal is to run malicious code inside the memory space of a legitimate, "trusted" process to hide its activity. The workflow typically follows these steps: Spawn a Target : Start a legitimate process (like explorer.exe or another instance of winword.exe suspended state Hollow the Process
The technique involves embedding a target executable file within the Office document, which is then extracted and executed using VBA code. This approach enables attackers to leverage the trusted nature of Office applications, exploiting the inherent trust users have in these programs. vba-runpe
The payload is typically a position-independent shellcode (e.g., Meterpreter reverse shell) or a minimally relocatable PE. It is stored as a : The high-level goal is to run malicious code
