(Writeup) LetsDefend Challenge - Excel 4.0 Macros

Welcome!

#

• LetsDefend is a Blue Team Training platform.
• This writeup is a challenge on LetsDefend.

Challenge Details:

#

• Role targeted: Security Analyst
• Skill Level: Medium

Description:

#

One of the employees has received a suspicious document attached in the email. When the e-mail flow is examined, it is seen that there is a suspicious Office file. Employees forward the email to the security team for analysis.

When L1 analysts scan the suspicious file with several different scanning tools, they see that it does not contain VBA macros. Since the file format is similar to phishing, they forwarded the suspicious Office file to you for detailed analysis.

** Since the 2nd payload download addresses are closed, the 2nd payload is in the zip. Please start your analysis from the Office file.

Malicious Office Document (Zip password: infected): /root/Desktop/ChallengeFiles/11f44531fb088d31307d87b01e8eabff.rar

Lab Start:

#

Setting up environment:

#

cd ~/Desktop/ChallengeFiles
cp 11f44531fb088d31307d87b01e8eabff.rar /tmp/
cd /tmp
chown analyst:analyst 11f44531fb088d31307d87b01e8eabff.rar
su analyst

Now we gotta set up the tools.

pip install -U XLMMacroDeobfuscator oletools[full]

export PATH=$PATH:$HOME/.local/bin

Now, let’s get to the challenge files!

unrar x 11f44531fb088d31307d87b01e8eabff.rar

It’ll ask for a password: infected then a to use the password for all files.

So, if we go back to the challenge description: The other analyst found no VBA macros, so, because of that (and the challenge’s name), we’re looking for XLM macros. Let’s run xlmdeobfuscator!

xlmdeobfuscator -n -o 0 -f research-1646684671.xls

• -n - No interactivity.
• -o - Level of detail; 0 is maximum.
• -f - The file to be analyzed.

Fixing bugs in tools:

#

Alright, if you go into issues on the GitHub for XLMMacroDeobfuscator, we quickly find posts with the same issue, with ways to fix it.

find / -name "formula.py" 2>/dev/null

nano /home/analyst/.local/lib/python3.8/site-packages/xlrd2/formula.py

If we use CTRL SHIFT - AKA CTRL _ or as nano shows it ^_ we can choose what line to jump to. The kind person from the GitHub issues pages let us know the problem is on page 2451 so we’ll jump there.

Finally, let’s get back to that xlmdeobfuscation!

xlmdeobfuscator -n -o 0 -f research-1646684671.xls

Bingo!

XLMMacroDeobfuscator:

#

xlmdeobfuscator -n -o 0 -f research-1646684671.xls > analysis.txt

oletools

#

Let’s grab some meta information for the questions real quick too.

olemeta research-1646684671.xls

Questions:

#

For the first two questions, from the top of the XLM Deobfuscator report:

1. Attackers use a function to make the malicious VBA macros they have prepared run when the document is opened. What do attackers change the cell name to to make Excel 4.0 macros work to provide the same functionality?
   • First thing under “Loading Cells”!
     • Answer: auto_open
2. What is the address of the first cell where Excel 4.0 macros will run in the malicious Office document you are analyzing? (Example: {doc1!ab3})
   • Again, first thing under “Loading Cells”!
   • (Remote single quotes and dollar signs.)
     • Answer: Doc4!BA7

For the next three questions, from the bottom of the XLM Deobfuscator report:

3. Which function is used to start a process in the operating system in the document you are analyzing?
   • Answer: EXEC
4. Which LOLBAS tool was used in the Excel 4.0 macros you analyzed? (Format: {xxxx.exe})
   • Answer: regsvr32.exe
5. What is the name of the registered DLL?
   • Answer: iroto.dll

Finally, for the last question, from the olemeta report:

6. What is the username that made the last change to the malicious document?
   • Answer: Amanda