"Hello World" Guide

Forensics · Харуул Занги U18: 2018 · w01f

Problem

It seemed that we're given a Microsoft Word 2007+ file. Download by click down below.

83KB

haruulzangi.docm

After opening the file, I didn't find anything particularly interesting to analyze at first glance. The document appeared straightforward with no immediate signs of hidden content or suspicious activity. However, I suspected that there might be something more to uncover beneath the surface. This led me to think that we might need a specialized tool to analyze the file further and extract any hidden figures, macros, or other embedded objects that could be lurking inside the .docm format.

oledump.py is a Python tool used to analyze and extract content from OLE (Object Linking and Embedding) files, such as Microsoft Office documents (.doc, .docx, .xls, .ppt, etc.)

Access it through here.

After identifying that there might be hidden content within the file, I decided to use oledump.py to extract and analyze the different streams from the .docm file. Here's how I proceeded:

1. Initial Analysis with oledump.py:

   I ran the command python3 oledump.py haruulzangi.docm to inspect the embedded streams in the .docm file. The output revealed the following streams:

   ┌──(zwique㉿kali)-[~/Downloads]
   └─$ python3 oledump.py haruulzangi.docm 
   A: word/vbaProject.bin
    A1:       405 'PROJECT'
    A2:        71 'PROJECTwm'
    A3: M    2502 'VBA/NewMacros'
    A4: m     938 'VBA/ThisDocument'
    A5:      2728 'VBA/_VBA_PROJECT'
    A6:       569 'VBA/dir'

• The streams labeled A3 and A4 looked interesting, especially given that stream A3 had the name 'VBA/NewMacros', suggesting it might contain macros or other code that could be worth investigating.

1. Extracting Stream A4 (ThisDocument):

I first decided to extract stream A4, which corresponds to 'VBA/ThisDocument'. To do this, I ran the following command:

┌──(zwique㉿kali)-[~/Downloads]
└─$ python3 oledump.py haruulzangi.docm -s A4 -d > a4_bin

After extracting it, I used the strings command to search for readable content within the binary file:

┌──(zwique㉿kali)-[~/Downloads]
└─$ strings a4_bin          
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Spac
Crea
tabl
Pre decla
BExp
Temp
lateDeri
$Custom

Nothing to find

1. Extracting Stream A3 (NewMacros):

I then shifted my focus to stream A3, labeled 'VBA/NewMacros', as it might contain more significant data. I ran the following command:

┌──(zwique㉿kali)-[~/Downloads]
└─$ python3 oledump.py haruulzangi.docm -s A3 -d > a3_bin

┌──(zwique㉿kali)-[~/Downloads]
└─$ strings a3_bin                                       
unsigned char s[] = SFpVMTh7TWFjcjBfVlNfc2hlbGxDMERFfQ==
    0x22, 0x44, 0xc2, 0x91, 0x31, 0x9, 0x25, 0xe9,
    0x4f, 0xaf, 0xfb, 0xb, 0x8b, 0x78, 0xee, 0xce,5,
    0x95, 0xb4, 0xb5, 0x12, 0x41, 0xf6, 0x37, 0xb8,
for (unsigned int m = 0; m < sizeof(s); ++m)
    unsigned char c = s[m];
    c -= 0x9a;; ++m)
    c ^= 0xc6;signed
    c -= 0x23;
    c = (c >> 0x7) | (c << 0x1);
    c -= m;
    c = (c >> 0x5) | (c << 0x3);<< 0
    c -= 0xfd;-= m;
    c = (c >> 0x2) | (c << 0x6);
    c -= m;
    c ^= 0xda;= (c >
    c += m;
    c = (c >> 0x7) | (c << 0x1); 0xd
    c = ~c;
    c = -c;
    c -= m;
    s[m] = c;
printf("%s\n", s);
Attribut
e VB_Nam
e = "New
Macros"
Sub Doc
s1()
unsigned
 char s[
^SFpVMT
h7TWFjcj
BfVlNfc2
hlbGxDME
RFfQ==
0x22@, 0x44
gf6I
4x43
Vfor (
nt m
< sizeof
(s); ++m/
c -=)
= (c
7) |I
0xfjd
/+= Q
("%s\n",
End

Decoding the base64 string at the top will give you the flag.

SFpVMTh7TWFjcjBfVlNfc2hlbGxDMERFfQ==

HZU18{Macr0_VS_shellC0DE}