XLM Macros Blue Team Challenge

Category : Malware Analysis

4.4

Medium

Sample1: What is the document decryption password?

Weight : 100 | Solved : 464

Sample1: This document contains six hidden sheets. What are their names? Provide the value of the one starting with S.

Weight : 200 | Solved : 448

Sample1: What URL is the malware using to download the next stage? Only include the second-level and top-level domain. For example, xyz.com.

Weight : 200 | Solved : 449

Sample1: What malware family was this document attempting to drop?

Weight : 200 | Solved : 417

Sample2: This document has a very hidden sheet. What is the name of this sheet?

Weight : 200 | Solved : 417

Sample2: This document uses reg.exe. What registry key is it checking?

Weight : 500 | Solved : 379

Sample2: From the use of reg.exe, what value of the assessed key indicates a sandbox environment?

Weight : 100 | Solved : 381

Sample2: This document performs several additional anti-analysis checks. What Excel 4 macro function does it use?

Weight : 300 | Solved : 377

Sample2: This document checks for the name of the environment in which Excel is running. What value is it using to compare?

Weight : 400 | Solved : 362

Q10

Sample2: What type of payload is downloaded?

Weight : 600 | Solved : 380

Q11

Sample2: What URL does the malware download the payload from?

Weight : 600 | Solved : 360

Q12

Sample2: What is the filename that the payload is saved as?

Weight : 400 | Solved : 357

Q13

Sample2: How is the payload executed? For example, mshta.exe

Weight : 500 | Solved : 359

Q14

Sample2: What was the malware family?

Weight : 800 | Solved : 361

Instructions:

Use the password "cyberdefenders.org" to uncompress challenge files and inspect samples.

Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you, as a security blue team analyst will get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.

Samples:

Sample1: MD5: fb5ed444ddc37d748639f624397cff2a
Sample2: MD5: b5d469a07709b5ca6fee934b1e5e8e38

Helpful Tools:

REMnux VM
XLMDeobfuscator
OLEDUMP with PLUGIN_BIFF
Office IDE

Suggested Resources:

Stuck? Don't worry

We've got you covered! 🛠️ Head over to the community lab channel for guidance #xlm-macros channel

SHA1SUM:

35fb4497de1633d6887fd1453ee1426ca627eeec
Password:

cyberdefenders.org
Size:

174K
Published:

Feb. 16, 2021, midnight

First blood

poisonous

956 days ago

Last solve

Aiyak

today

Blog

Media Kit

Store

Careers

XLM Macros Blue Team Challenge

Category : Malware Analysis

Macro

OLEDUMP

XLM

XLS

Excel 4 macros

XLMDeobfuscator

REMnux

anti-analysis

Office IDE

Stuck? Don't worry

First blood

Last solve