https://cyberdefenders.org/labs/55

Table of Contents

Description

Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you'll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.

Helpful Tools

Questions

1: Sample1: What is the document decryption password?

It seems I can open the document in LibreOffice Calc and use the oledump tools without decrypting the password. However, msoffcrypto-tool does say it is encrypted:

$ msoffcrypto-tool -t -v sample1-fb5ed444ddc37d748639f624397cff2a.bin

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/154261f1-dc84-4fc6-b0ad-305da0a62b83/Untitled.png

msoffcrypto also has a cracking tool:

$ msoffcrypto-crack.py sample1-fb5ed444ddc37d748639f624397cff2a.bin

Untitled

VelvetSweatshop

2. There is no question 2...