Tags: microsoft-office forensics 

Rating:

You've received a confidential document! Follow the instructions to unlock it.

Note: This is not malware

Author: SteakEnthusiast
[invoice.docm](https://github.com/Nightxade/ctf-writeups/blob/master/assets/CTFs/UofT-CTF-2024/invoice.docm)

---

After a bit of exploring, googling "ctf tool to point out what files might contain malware", I found [this](https://ctftime.org/writeup/23895). Following the steps in the writeup, I got this:

```py
===============================================================================
FILE: invoice.docm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
Dim v6 As Variant, v7 As Variant
v6 = Array(98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106)
v7 = Array(44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84)

Dim v8 As Integer: v8 = 23

Dim v9 As String, v10 As String, v4 As String, i As Integer
v9 = ""
For i = 0 To UBound(v6)
v9 = v9 & Chr(v6(i) Xor Asc(Mid(Chr(v8), (i Mod Len(Chr(v8))) + 1, 1)))
Next i

v10 = ""
For i = 0 To UBound(v7)
v10 = v10 & Chr(v7(i) Xor Asc(Mid(v9, (i Mod Len(v9)) + 1, 1)))
Next i

MsgBox v10
End Sub

-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: word/vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Xor |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
+----------+--------------------+---------------------------------------------+
```

Seems like some sort of program created in Microsoft Office's VBA. We can find the documentation of certain functions on Microsoft by searching up `[function] vba` online. Here's my analysis:

```py
Sub AutoOpen()
Dim v6 As Variant, v7 As Variant
v6 = Array(98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106) # array
v7 = Array(44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84) # array

Dim v8 As Integer: v8 = 23

Dim v9 As String, v10 As String, v4 As String, i As Integer
v9 = ""
For i = 0 To UBound(v6) # loop through all of v6
v9 = v9 & Chr(v6(i) Xor Asc(Mid(Chr(v8), (i Mod Len(Chr(v8))) + 1, 1))) # append v8 ^ v6[i] to v9
Next i

v10 = ""
For i = 0 To UBound(v7)
v10 = v10 & Chr(v7(i) Xor Asc(Mid(v9, (i Mod Len(v9)) + 1, 1))) # append v7[i] ^ v9[i] to v10
Next i

MsgBox v10
End Sub
```

We can easily simulate the same process in Python:

```py
v6 = [98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106]
v7 = [44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84]
v8 = 23

for i in range(len(v6)):
v6[i] ^= v8
for i in range(len(v7)):
v7[i] ^= v6[i]
```

Let's print out v7:

```py
for i in v7:
print(chr(i), end='')
```

Except v7 contains some irrelevant message saying "you've been hacked".
Well, v6 is longer than v7 but used in v7's decryption. This is suspicious. Maybe we try to print out v6?

```py
for i in v6:
print(chr(i), end='')
```

And we get the flag!

uoftctf{d0cx_f1l35_c4n_run_c0de_t000}

Original writeup (https://nightxade.github.io/ctf-writeups/writeups/2024/UofT-CTF-2024/forensics/enable-me.html).