The latest wave of phishing documents has our team stumped. Figure out what they are doing and get the flag.

Category: Forensics

Solver: lmarschk, mp455

Flag: HTB{hT4_j4V@sCr1pT_vBs_0h_mY!}


Summary: Deobfuscate the Makro and the JS Script

We get a phishing document airship_incognito.doc. When we open the document we get the notification that this document contains macros. Inside the document we see an image that invotes us to the “unveiling of the airship incognito”. But below the image we notice an unreadable text with a tiny font size.

Let’s take a look at the macro.

  • We can see the entry point document_open() that calls the Sub i with two parameters including cmd.exe /s /c.
  • The sub i is very straightforward
    • We joint strings resulting in the file c:\\programdata\\index.hTA meaning that we work with Microsoft HTML Applications here. These applications may also contain VBScripts next to JS Scripts.
    • Deobfuscate the text in the document by removing all “tumdl” occurrences.
    • Write the content in the file
    • And execute the file.
  • In the produced file we again find a obfuscated and this time encoded text part and below JS scripts that decode the text part and VBScripts that execute the three decoded text parts stored in the procITo array.
  • The first decoded VBScript downloads something from an url and saves it into c:\\users\\public\\defineDefineFunc.jpg.
  • The second decoded VBScript registers the downloaded content add command component in the registry via regsvr32.
  • The third decoded VBScript is just msscriptcontrol.scriptcontrol, the abstract base class for a script control.
  • But where is the flag?
    • The array procITo does not only contains three elements but four. The fourth, not used element can be decoded to the flag: HTB{hT4_j4V@sCr1pT_vBs_0h_mY!}.