It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.
Information
Category Name: MalDoc101
Files: c34-maldoc101.zip 98KB
My Recommendations
This is my personal preference. I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/MalDoc101 && cd Documents/CyberDefenders/MalDoc101
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c34-maldoc101.zipSHA1SUM: 4d482527cf63400dc98ff574903f1ea7dbffb6cd
Walkthrough
1. Multiple streams contain macros in this document. Provide the number of highest one.
Using oledump.py;
oledump.py sample.bin
The streams that contain macros are number 13, 15 and 16. The highest one is 16.
Answer: 16
2. What event is used to begin the execution of the macros?
The first stream that contains a macro is stream 13. Looking at its contents with oledump.py :
oledump.py -v -s 13 sample.bin
The macro calls for Document_open() and then for function ‘boaxvoebxiotqueb‘. That function is defined in the macro at stream 15:
Therefore, in order to execute the VBA script, the first step is ‘Document_open()’.
Answer: Document_open
3. What malware family was this maldoc attempting to drop?
The fastest way to identify the type of malware associated with the document is to lookup its hash in virus total:
md5sum sample.bin
#returns ea50158bcef30d51e298846c056649c3
Microsoft flags the document as Trojan Downloader for an Emotet malware:
Answer: Emotet
4. What stream is responsible for the storage of the base64-encoded string?
If we look at the output of oledump.py from Question 1, we can see that the largest streams are stream 5, 8 and 34. We can look at their contents using oledump.py with the -S option:
oledump.py -s 5 -S sample.bin
oledump.py -s 8 -S sample.bin
oledump.py -s 34 -S sample.bin
Stream 5 contains a photo, which makes sense since it’s the ‘Data’ of the file:
Stream 8, VBAProject, contains the vba as a whole:
Stream 34 contains an obfuscated string:
Since the stream ends with ‘=’ we can safely assume it is a base64 encoded string.
Answer: 34
5. This document contains a user-form. Provide the name?
Using olevba, we can get a bigger picture of how the vba operates:
olevba sample.bin
Here, it shows that there is a user form called ‘roubhaol.frm’.
Answer: roubhaol
6. This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?
The obfuscated base64 string is in stream 34. We can dump its contents to a text file first:
oledump.py -s 34 -S sample.bin > s34
cat s34
If we look closely at the contents, we can see a repeating pattern for the string ‘2342772g3&*gs7712ffvs626fq ‘:
We can deobufscate it with sed. Since the string contains the * character, we need to escape it using a backlash:
sed -i 's/2342772g3&\*gs7712ffvs626fq//g' s34
The beginning of the string starts with ‘powershell -e’ so we can assume the deobfuscation is successful. Furthermore, we can decode the string directly to see what the command executes:
echo -n '#base64encodedstring' | base64 -d > powershell-s34
Answer: 2342772g3&*gs7712ffvs626fq
7. What is the program executed by the base64 encoded string?
As we saw above, the program executed is powershell.
Answer: powershell
8. What WMI class is used to create the process to launch the trojan?
The decoded base64 command that we previously saved can be ‘pretty printed’ by adding new lines after semi-colons:
sed 's/;/;\n/g' powershell-s34
The decoded base64 command that we previously saved can be ‘pretty printed’ by adding new lines after semi-colons:
The code works by first downloading the Trojan to the User Profile, saving it as 337.exe and then calling win32_Process to launch it.
Answer: win32_Process
9. Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.
We can run the file in Any.run to see which domains are contacted by the Trojan:
The first one is haoqunkong[.]com. This domain also appears in the Virus Total report of the file:
Answer: haoqunkong[.]com
TLDR
– Use Olevba to analyze the Macros and malware.
– Load the file in Any.run to find dynamic information about the malware, such as contacted domains.
