In this cybersecurity lab, you step into the role of a Security Operations Center (SOC) analyst, tasked with investigating a suspicious Microsoft Word document that was flagged by the enterprise Endpoint Detection and Response (EDR) system. The alert was triggered by unusual behavior originating from an end-user machine, prompting a deeper forensic analysis. The user reported receiving an email attachment from an unknown sender, which, upon opening, exhibited potential signs of malicious activity. Your objective in this lab is to perform a detailed investigation to uncover the underlying threat, analyze the obfuscation techniques, and identify the malware execution flow.
The analysis begins by identifying the file type and computing its hash to verify its integrity and uniqueness. You will then extract and inspect embedded macros within the document, as adversaries often use malicious VBA scripts to execute code upon document opening. Using specialized tools, you will identify macro streams, isolate potentially malicious code, and deobfuscate it to understand its true intent. A key part of this investigation involves dissecting command-line arguments, examining the decryption mechanisms, and reconstructing the final payload execution sequence.
As the investigation progresses, you will encounter JavaScript-based obfuscation, an approach frequently used by attackers to hide their malicious intent. By applying decryption techniques, including Base64 decoding and RC4 decryption, you will unveil the final stage of execution. This step is crucial in understanding how the malware retrieves additional payloads, executes commands on the system, and potent