BSides CHS Maldoc

A walkthrough of Maldoc from BSCHS 2017.

November 14, 2017 - 2 minute read -
bschs misc

This challenge was definitely interesting. Real threats in today’s world use DDE’s and embed malware or droppers in malicious documents. For instance, recently, Fancy Bear used malicious documents to deploy their signature GAMEFISH malware to target hotels.

Our task is to analyse a document called notreallymalicious.doc which is true, it isn’t malicious, but it does have a bunch of hidden flags!

A couple people on my team tackled this problem in a few different ways. Initially we checked the strings in the file and got two flags.

Flag 1: L0Gm4cro

Flag 2: L0gh4x

One pair of our group used an interesting online tool called Hybrid Analysis. This runs the file inside a VM and collects a lot of information about it. Extremely useful for analyzing malware.

My strategy was to use a more specific approach. I found a repo called oletools that contains a bunch of tools to analyze MS Office Documents for use in malware analysis, forensics, and debugging.

I launched the program olebrowse and stepped through all of the data in

Maldoc OLE Browse

We can clearly see that there is a plaintext flag in the screenshot with the phrase W0wS0L33t. We can also see a base64 encoded string. If we echo that and pipe it to base64 -d, we can decipher the message.

[EVERSEC]λ echo "ZWNobyBNNGNyMHMOUjBjaw==" | base64 -d
echo M4cr0sR0ck

Flag 3: W0wS0L33t

Flag 4: M4cr0sR0ck

All in all, a simple challenge with an insane amount of points. I hope I introduced you to a new tool!