(Writeup) LetsDefend Challenge - Malicious VBA

Welcome!

#

• LetsDefend is a Blue Team Training platform.
• This writeup is a challenge on LetsDefend.

Challenge Details:

#

• Role targeted: Security Analyst
• Skill Level: Easy

Description:

#

One of the employees has received a suspicious document attached in the invoice email. They sent you the file to investigate. You managed to extract some strings from the VBA Macro document. Can you refer to CyberChef and decode the suspicious strings?

Please, open the document in Notepad++ for security reasons unless you are running the file in an isolated sandbox.

Malicious Macro: /root/Desktop/ChallengeFiles/invoice.vb

This challenge prepared by @RussianPanda

Lab Start:

#

grep -oP '"(.*?)"' invoice.vb | while read -r line; do echo ; echo $line | xxd -r -p ; done

• grep - (o)nly print the characters that match the (P)erl regex from invoice.vb
• while - each line gets piped in: print a blank line, and pipe the line to xxd.
• xxd - (r)everse from hex into ascii and (p)rint the output.

Questions:

#

1. The document initiates the download of a payload after the execution, can you tell what website is hosting it?
   • Answer: https://tinyurl.com/g2z2gh6f
2. What is the filename of the payload (include the extension)?
   • Answer: dropped.exe
3. What method is it using to establish an HTTP connection between files on the malicious web server?
   • Answer: MSXML2.ServerXMLHTTP
4. What user-agent string is it using?
   • Answer: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
5. What object does the attacker use to be able to read or write text and binary files?
   • Answer: ADODB.Stream
6. What is the object the attacker uses for WMI execution? Possibly they are using this to hide the suspicious application running in the background.
   • Answer: winmgmts:\\.\root\cimv2:win32_process