The latest wave of phishing documents has our team stumped. Figure out what they are doing and get the flag.
Category: Forensics
Solver: lmarschk, mp455
Flag: HTB{hT4_j4V@sCr1pT_vBs_0h_mY!}
Writeup
Summary: Deobfuscate the Makro and the JS Script
We get a phishing document airship_incognito.doc. When we open the document we get the notification that this document contains macros. Inside the document we see an image that invotes us to the “unveiling of the airship incognito”. But below the image we notice an unreadable text with a tiny font size.
Let’s take a look at the macro.
- We can see the entry point
document_open()that calls the Subiwith two parameters includingcmd.exe /s /c. - The sub
iis very straightforward- We joint strings resulting in the file
c:\\programdata\\index.hTAmeaning that we work with Microsoft HTML Applications here. These applications may also contain VBScripts next to JS Scripts. - Deobfuscate the text in the document by removing all “tumdl” occurrences.
- Write the content in the file
- And execute the file.
- We joint strings resulting in the file
- In the produced file we again find a obfuscated and this time encoded text part and below JS scripts that decode the text part and VBScripts that execute the three decoded text parts stored in the
procIToarray. - The first decoded VBScript downloads something from an url and saves it into
c:\\users\\public\\defineDefineFunc.jpg. - The second decoded VBScript registers the downloaded content add command component in the registry via
regsvr32. - The third decoded VBScript is just
msscriptcontrol.scriptcontrol, the abstract base class for a script control. - But where is the flag?
- The array
procITodoes not only contains three elements but four. The fourth, not used element can be decoded to the flag:HTB{hT4_j4V@sCr1pT_vBs_0h_mY!}.
- The array