As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.
Your job is to investigate the document further and confirm whether it's malicious or not.
Microsoft office IDE
Scdbg or Speakeasy
What is the CVE ID of the exploited vulnerability?
To reproduce the exploit in a lab environment and mimic a corporate machine running Microsoft office 2007, a specific patch should not be installed. Provide the patch number.
What is the magic signature in the object data?
What is the name of the spawned process when the document gets opened?
What is the full path of the downloaded payload?
Where is the URL used to fetch the payload?
What is the flag inside the payload?
The document contains an obfuscated shellcode. What string was used to cut the shellcode in half? (Two words, space in between)
What function was used to download the payload file from within the shellcode?
What function was used to execute the downloaded payload file?
Which DLL gets loaded using the "LoadLibrayA" function?
What is the FONT name that gets loaded by the process to trigger the buffer overflow exploit?(3 words)
What is the GitHub link of the tool that was likely used to make this exploit?
What is the memory address written by the exploit to execute the shellcode?