THM - Advent of Cyber [Day 22]

Obfuscation and investigation of some malicious Microsoft office macros are the focus of the task today. We’ll be using oledump.py to investigate the office files. Office files, interestingly enough, are actually more like zipped files, but instead of zip, they are OLE. We’ll be looking at base64 and XOR obfuscation specifically.

Once we’re on the machine spun up for us, we should open a command prompt and navigate to the proper folder on the desktop. As a quick side note, if I had a dollar for everytime that I use ls instead of dir, I’d be a rich man. Anyway to syntax of the oledump.py is pretty straightforward, and for our purposes we only need to use two commands. The first one will list all the streams that we can use.

oledump.py [FILENAME]

This will list all the streams that we can take a closer look at. The main stream to look at is 8, but for one or two of the last questions, we’ll have to look at different streams.

oledump.py -s 8 -d [FILENAME]

The stream number above, 8, gives us a script that is encoded with base64 as well as XOR 35. We can decode it with CyberChef easily and investigate the script to get the hint for the last flag and the answers to early questions.