You’ve received a confidential document! Follow the instructions to unlock it.
Note: This is not malware
Author: SteakEnthusiast
invoice.docm
After a bit of exploring, googling “ctf tool to point out what files might contain malware”, I found this. Following the steps in the writeup, I got this:
===============================================================================FILE: invoice.docmType: OpenXMLWARNING For now, VBA stomping cannot be detected for files in memory-------------------------------------------------------------------------------VBA MACRO ThisDocument.clsin file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Sub AutoOpen() Dim v6 As Variant, v7 As Variant v6 = Array(98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106) v7 = Array(44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84)
Dim v8 As Integer: v8 = 23
Dim v9 As String, v10 As String, v4 As String, i As Integer v9 = "" For i = 0 To UBound(v6) v9 = v9 & Chr(v6(i) Xor Asc(Mid(Chr(v8), (i Mod Len(Chr(v8))) + 1, 1))) Next i
v10 = "" For i = 0 To UBound(v7) v10 = v10 & Chr(v7(i) Xor Asc(Mid(v9, (i Mod Len(v9)) + 1, 1))) Next i
MsgBox v10End Sub
-------------------------------------------------------------------------------VBA MACRO Module1.basin file: word/vbaProject.bin - OLE stream: 'VBA/Module1'- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(empty macro)+----------+--------------------+---------------------------------------------+|Type |Keyword |Description |+----------+--------------------+---------------------------------------------+|AutoExec |AutoOpen |Runs when the Word document is opened ||Suspicious|Chr |May attempt to obfuscate specific strings || | |(use option --deobf to deobfuscate) ||Suspicious|Xor |May attempt to obfuscate specific strings || | |(use option --deobf to deobfuscate) |+----------+--------------------+---------------------------------------------+Seems like some sort of program created in Microsoft Office’s VBA. We can find the documentation of certain functions on Microsoft by searching up [function] vba online. Here’s my analysis:
Sub AutoOpen() Dim v6 As Variant, v7 As Variant v6 = Array(98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106) # array v7 = Array(44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84) # array
Dim v8 As Integer: v8 = 23
Dim v9 As String, v10 As String, v4 As String, i As Integer v9 = "" For i = 0 To UBound(v6) # loop through all of v6 v9 = v9 & Chr(v6(i) Xor Asc(Mid(Chr(v8), (i Mod Len(Chr(v8))) + 1, 1))) # append v8 ^ v6[i] to v9 Next i
v10 = "" For i = 0 To UBound(v7) v10 = v10 & Chr(v7(i) Xor Asc(Mid(v9, (i Mod Len(v9)) + 1, 1))) # append v7[i] ^ v9[i] to v10 Next i
MsgBox v10End SubWe can easily simulate the same process in Python:
v6 = [98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106]v7 = [44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84]v8 = 23
for i in range(len(v6)): v6[i] ^= v8for i in range(len(v7)): v7[i] ^= v6[i]Let’s print out v7:
for i in v7: print(chr(i), end='')Except v7 contains some irrelevant message saying “you’ve been hacked”.
Well, v6 is longer than v7 but used in v7’s decryption. This is suspicious. Maybe we try to print out v6?
for i in v6: print(chr(i), end='')And we get the flag!
uoftctf{d0cx_f1l35_c4n_run_c0de_t000}