It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

 

Suggested Tools:

  • REMnux Virtual Machine (remnux.org)
  • Terminal/Command prompt w/ Python installed
  • Oledump
  • Text editor
# Question Weight Solved
1 What streams contain macros in this document? (comma-separated, ascending). 100 98

2 What command-line argument with Oledump do you use to view the raw content of a stream? (Do not include the leading dash) 100 101

3 What event is used to begin the execution of the macros? 100 104

4 What malware family was this maldoc attempting to drop? 100 100

5 What index is responsible for the storage of the base64-encoded string? 200 80

6 What WMI class is used to create the process to launch the trojan? 200 87

7 What is the purpose of the base64 encoded string? 200 80

8 This document contains a user-form. Provide the name? 300 83

9 This document contains an obfuscated base64 encoded string; what value is used to pad (or obfuscate) this string? 500 83

10 Multiple domains were contacted to download a trojan. Provide domain names as per the provided hint.(comma-separated) 1000 86