Open in app

Sign in

Write

Sign in

[CyberDefenders write-up] MalDoc101

CyberStory.net
6 min readJul 16, 2023

--

Hello everyone!
Today, I'm going to deal with a challenge in the field of malware analysis.

Before we start…

To become a cybersecurity expert, aim high, seek knowledge, embrace new learning opportunities, and value delayed rewards. Also, remember to be in touch with like-minded folks and build your professional network. Here is a LINK to my landing page where you can find my LinkedIn and other social media profiles. I’d love the opportunity to connect with you! Cheers!

Introduction

There are not many details, and we will be focusing on ‘Living Off The Land’ techniques. In short — LOTL is a cyberattack method that uses legitimate tools on the victim's system to continue and progress the attack.

9 questions ahead.

One of the recommended tools is REMnux. It’s a Linux distro created for malware analysis. I'll check later to see if my Kali will suffice in this situation.

We have one .bin file inside the archive. Always be cautious when working with malware samples and run them on a Virtual Machine for added safety.

Challenge link: MalDoc101

Q1 — Multiple streams contain macros in this document. Provide the number of highest one.

We will be focusing on static analysis, so first I need to open the binary file (.bin). I didn’t use Oledump before, but from its description I can see this might be the first tool to be used.

‘Oledump — Analyze OLE files (Compound Binary Files)’

As my Kali doesn’t have it, I will need to download the ‘oletools’ .
Github user — declage2 — has some ‘how to’ instructions (open INSTALL.txt file to find the right command)

Here is what we see when we open the binary file with oledump.py

I didn’t know which ones are relevant here, but noticed those three lines with ‘M’, so I tried 13, 15, 16 and the last one turned out to be the correct answer.

Q2 — What event is used to begin the execution of the macros?

Since I was not acquainted with 'oletools', I had to revisit Github and explore the contents of the 'oletools' folder in order to find something valuable. We have been asked for the ‘event’ used to begin the execution, so we need to see the macro code itself.

We can try with ‘olevba’ tool in this case.
I won’t paste all results as there is too much of text.
However, use the command from the screen to run the ‘olevba’

I quickly noticed the highlighted section and discovered that it aligns with the answer we were looking for. Lucky me 😎

Q3 — What malware family was this maldoc attempting to drop?

Well, the only easy way I know in such cases is to upload the sample file to tools like VirusTotal.

Q4 — What stream is responsible for the storage of the base64-encoded string?

Let’s go back to our terminal.

This is where the obfuscated base64 string begins and on the top we can see the stream name. Now remember this stream, and hopefully I didn’t clear the results of ‘o ledump.py’…

There we go!

Q5 — This document contains a user-form. Provide the name?

Again, I scrolled down our ‘olevba’ results. We have multiple references to the FORM. Easy.

Q6 — This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?

We need some tool to deobfustcate our base64 string.
The second part is easy as we can visually see the repeating part.

I tried to use the simple command ‘strings -a sample.bin’ to extract strings, but there is still a lot of mess, so I need to find some tool I could use with ‘strings’ to narrow down the scope and extract repeating strings.

I admin I took me a while to find something useful. I found that the author of ‘oledump.py’ — Didier Stevens — has a separate ‘AdHoc’ repository on his Github account.

One of the Python scripts is called ‘deobfuscate-repetitions.py’. However, I didn’t find any manual, so I simply added a pipe and executed this python script.

Q7 — What is the program executed by the base64 encoded string?

We can see the answer on the above image.

Q8 — What WMI class is used to create the process to launch the trojan?

I feel like every next question is twice as difficult as the previous one.
But this is because I have very little experience with static malware analysis so far.

I began my research by searching for WMI classes, and to my delight, I quickly found the answer I was seeking 😎 However, while searching the internet is undoubtedly a valuable skill in the field of IT, it may not necessarily contribute to the process of learning malware analysis in a meaningful way.

I found that ‘deobfuscate-repetitions.py’ can be used with flag -f which helps us find the particular string. Let’s use ‘powersheLL’ to find the full base64.

Ok, I found it. So what? I tried to decode it with a popular online decoder, but no success.

Coming back to Mr. Stevens’ repository…

This one was located in ‘DidierStevensSuite’ repo, so I just added another pipe in command.

If you find yourself in a deadlock (just like I did), don't forget to check the help/manual for the base64dump.py script.

Those two flags can be useful if you want to translate from utf to utf16 etc.

Much better. And I found our WMI class for the answer!

Q9 — Multiple domains were contacted to download a trojan. Provide first FQDN as per the provided hint.

The final question was the easiest one. All I did was include an additional pipe in this command and used ‘grep’ to highlight domains ending ‘.com’.

If you find this sort of content helpful in your learning process, follow me on Medium/LinkedIn/Twitter and let’s learn together.
More about myself and my activities can be found HERE

Ctf Writeup
Cybersecurity
Cyberstory
Malware Analysis

--

--

CyberStory.net

Written by CyberStory.net

20 Followers

🛡️ Security Engineer & 🔎Cyber Investigator 🗣️Talking about #privacy #security #ai #cybercrime 🗞️Join my FREE Substack newsletter https://bio.cyberstory.net

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams