Idan Malihi

Security Researcher

How to Generate an Evil QR Code with Excel Sheets


In this article we will talk about how we can create malicious QR code through Excel Sheets.

**Important**

I am not responsible for any damage you do with the educational content that I publish, my content is for educational purposes only.

Let’s start with the basic explanation of:

What is a QR Code?

A QR Code is a type of matrix barcode. A barcode is a machine-readable optical label that contains information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application.

What is Excel?

Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android, and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications.

So, after the explanations of QR code and Excel, Let’s begin.

For the test, I opened a phishing server in AWS, the phishing site itself will be an Instagram Login Page.

Now that we have a phishing site ready, we will go to the following site:

https://www.google.com/sheets/about/

This is Google’s Excel Sheets site, it’s the same as in Excel Office but more recommended in Excel Sheets.

We will move to it, open a new Excel page, and move on to the next page:

We will design a table of two columns and three rows and give them a title of QR Value and QR Generator, also write a column of QR Value the link we want to convert to QR:

We’ll type in the QR Generator column the following code:

=IMAGE(“https://chart.googleapis.com/chart?chs=200×200&cht=qr&chl=”&C5)

When we press Enter, we see the QR code:

Of course you can change the URL of your phishing site to a link that is less suspicious but you can search in Google URL Shortener and you can do it quickly, without any problem.

Now that we have created malicious QR code with a phishing site on it, we can for the sake of example scan it through the camera of the phone / QR scanner and this can be done on any Android / Apple Device.

Once we’ve scanned the code, we’ll get to the next page:

As a victim, we’ll type a username and password in there and we can get the username and password that the victim typed in our AWS Server!

For PoC, Click here

That’s it for this article, and I was happy to write it for you guys! 🙂

Keep Posted with the Latest Research Articles