We received an email from one of our clients regarding an invoice, with contains an attachment. However, after calling the client it seems they have no knowledge of this. We strongly believe that this document contains something malicious. Can you take a look?

Category: forensics

Solver: mp455

Writeup

Since we suspect that the given document ‘invoice.docx’ contains something malicious, we refrain from opening/executing it for the moment. But there are other ways to inspect docx documents:

Unzip

Knowing that docx documents are just archives, we can unpack ‘invoice.docx’.

Besides some files with unobtrusive meta information we find the main content in ‘/word/document.xml’.

document.xml

First we format this document

There we immediately notice a number of suspicious numbers.

<w:fldSimple w:instr=" QUOTE 112 111 119 101 114 115 104 101 108 108 32 45 101 112 32 98 121 112 97 115 115 32 45 101 32 83 65 66 85 65 69 73 65 101 119 66 69 65 68 65 65 98 103 65 51 65 70 56 65 78 65 65 49 65 69 115 65 88 119 66 78 65 68 77 65 88 119 66 111 65 68 65 65 86 119 66 102 65 68 69 65 78 119 66 102 65 72 99 65 77 65 66 83 65 69 115 65 78 81 66 102 65 69 48 65 78 65 65 51 65 68 77 65 102 81 65 61 “>

suspicious_numbers

In order to verify what these numbers can mean, we first inform ourselves:

With a simple Google search: fldSimple instr “QUOTE”

we come directly to the explanation of the numbers.

The QUOTE field can be supplied with a characters ordinal value and it will automatically convert this to the corresponding character

So we decode the numbers via ASCII and receive:

powershell -ep bypass -e SABUAEIAewBEADAAbgA3AF8ANAA1AEsAXwBNADMAXwBoADAAVwBfADEANwBfAHcAMABSAEsANQBfAE0ANAA3ADMAfQA=

Via the padding we identify the last part as base64 encoded and decode it:

HTB{D0n7_45K_M3_h0W_17_w0RK5_M473}

Other resources