Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you'll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.

Samples:

  • Sample1: MD5: fb5ed444ddc37d748639f624397cff2a
  • Sample2: MD5: b5d469a07709b5ca6fee934b1e5e8e38

Helpful Tools:

  • REMnux VM
  • XLMDeobfuscator
  • OLEDUMP with PLUGIN_BIFF
  • Office IDE

Suggested Resources:

# Question Weight Solved
1 Sample1: What is the document decryption password? 100 28

2 Sample1: What command argument would you use with OLEDUMP's plugin_biff to select all records relevant for Excel 4.0 macros? 100 30

3 Sample1: This document contains six hidden sheets. What are their names? Provide the values in the order displayed by plugin_biff. 200 22

4 Sample1: What URL is the malware using to download the next stage? Only include the second-level and top-level domain. For example, xyz.com. 200 29

5 Sample1: What malware family was this document attempting to drop? 200 24

6 Sample2: This document has a very hidden sheet. What is the name of this sheet? 200 27

7 Sample2: This document uses reg.exe. What registry key is it checking? 500 23

8 Sample2: From the use of reg.exe, what value of the assessed key indicates a sandbox environment? 100 17

9 Sample2: This document performs several additional anti-analysis checks. What Excel 4 macro function does it use? 300 25

10 Sample2: This document checks for the name of the environment in which Excel is running. What value is it using to compare? 400 21

11 Sample2: What type of payload is downloaded? 600 22

12 Sample2: What URL does the malware download the payload from? 600 20

13 Sample2: What is the filename that the payload is saved as? 400 21

14 Sample2: How is the payload executed? For example, mshta.exe 500 20

15 Sample2: What was the malware family? 800 24