code is here:
The screenshot above walks through the process
run it, pass in the URL to Invode-Shellcode.ps1, enter metasploit listener IP and port, and the name of the xls you want created.
You then pick a persistence method:
"Meterpreter Shell with Logon Persistence: This attack delivers a meterpreter shell and then persists in the registry by creating a hidden .vbs file in C:\Users\Public and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes the .vbs file on login."
-Powershell Profile Persistence
"Meterpreter Shell with Powershell Profile Persistence: This attack requires the target user to have admin right but is quite creative. It will deliver you a shell and then drop a malicious .vbs file in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs. Once dropped, it creates an infected Powershell Profile file in C:\Windows\SysNative\WindowsPowerShell\v1.0\ and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes Powershell.exe on startup. Since the Powershell profile loads automatically when Powershell.exe is invoked, your code is executed automatically."
more info: https://enigma0x3.wordpress.com/2014/06/16/abusing-powershell-profiles/
-Microsoft Outlook Email Persistence
"Meterpreter Shell with Microsoft Outlook Email Persistence: This attack will give you a shell and then download a malicious Powershell script in this location: C:\Users\Public\. Once downloaded, it will insert your defined IP address, Port, Email address and Trigger word.
It will then create a malicious .vbs file and drop it in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\. Once dropped, it creates a registry key that executes it on login. When the Powershell script is executed, it monitors the user's Outlook Inbox for an email containing the email address you specified as well as the subject. When it sees the email, it will delete it and send you a shell."
more info https://enigma0x3.wordpress.com/2014/10/14/persistence-using-microsoft-outlook/
Then pick Meterpreter shell you want HTTP or HTTPS
Once complete you'll have a blank XLS in office2k-2k3 version.
If you peak inside, you'll see its relatively straightforward to see whats going on.