Persecure : my learning archive

LetsDefend : Malicious VBA

https://app.letsdefend.io/challenge/Malicious-VBA/

One of the employees has received a suspicious document attached in the invoice email. They sent you the file to investigate. You managed to extract some strings from the VBA Macro document. Can you refer to CyberChef and decode the suspicious strings?

Please, open the document in Notepad++ for security reasons unless you are running the file in an isolated sandbox.

Tools used:

  • Strings
  • Cyberchef
  • Google as always

Malicious code is inserted into data files, such as spreadsheets and documents, by macro viruses. By using a any strings tool we can see certain aspects of the visual basic code. However it isn’t in clear text and clearly obfuscated. We need first to identify the obfuscated commands. The yellow parts or common VBA syntax and the green are the obfuscated text.

After some trial and error we are able to see the clear text with the Charcode decoder.

Question 1

The document initiates the download of a payload after the execution, can you tell what website is hosting it?

Question 2

What is the filename of the payload (include the extension)?

Question 3

What method is it using to establish an HTTP connection between files on the malicious web server?

Question 4

What user-agent string is it using?

Question 5

What object does the attacker use to be able to read or write text and binary files?

Question 6

What is the object the attacker uses for WMI execution? Possibly they are using this to hide the suspicious application running in the background.

Create a website or blog at WordPress.com