The MalDoc101 Lab focuses on the analysis of a malicious Microsoft Office document designed to exploit VBA macros and obfuscation techniques to deliver a potentially harmful payload. This lab provides an opportunity to dive into static analysis, a critical skill for blue team analysts, enabling the extraction of meaningful indicators of compromise (IOCs) without executing the malicious file. The challenge highlights the importance of understanding document structures, macro behaviors, encoding methods, and the tools required to analyze such artifacts effectively.
Throughout this lab, you will explore how threat actors use living-off-the-land (LOTL) techniques to execute malicious code, often transitioning from macro-based automation to more advanced attack vectors. The document's streams and macros reveal how attackers employ obfuscation tactics, such as base64 encoding with embedded noise, to conceal malicious payloads. Furthermore, user-forms and auto-execution triggers highlight the sophistication and creativity of attackers in crafting their delivery mechanisms.
This walkthrough leverages powerful tools such as oledump for stream analysis, olevba for macro inspection, and online threat intelligence platforms like VirusTotal to contextualize the findings.