It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.
REMnux Virtual Machine (remnux.org)
Terminal/Command prompt w/ Python installed
What streams contain macros in this document? (comma-separated, ascending).
What command-line argument with Oledump do you use to view the raw content of a stream? (Do not include the leading dash)
What event is used to begin the execution of the macros?
What malware family was this maldoc attempting to drop?
What index is responsible for the storage of the base64-encoded string?
What WMI class is used to create the process to launch the trojan?
What is the purpose of the base64 encoded string?
This document contains a user-form. Provide the name?
This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string?
Multiple domains were contacted to download a trojan. Provide domain names as per the provided hint.(comma-separated)
You have successfully completed the challenge. you can share your achievement with the community.