HCSC 2024 - Trampling
Description
Úgy tűnik, hogy ez az e-mail melléklet nem működik. Az irodában régi szövegszerkesztőket használunk. Ez lehet az oka? Pw az archívumhoz: definitelyNotInfected
Flag format: HCSC{}
Hint 1 (cost 200): A szeizmográf általában a föld mozgásának mérésére szolgáló eszköz. Talán ez esetben VBA elemzésre is használható?
Metadata
- Tags:
macrod,vba,stomping,docm - Points:
400 - Number of solvers:
14 - Filename:
trampling
Solution
We have a trampling file without extension. file identifies it as Microsoft OOXML which means it might be the newer format of Word / Excel / PowerPoint. Those are basically ZIP files so we can try to identify the correct extension using zipinfo:
$ file trampling
trampling: Microsoft OOXML
$ zipinfo trampling
Archive: trampling
Zip file size: 17478 bytes, number of entries: 15
-rw---- 4.5 fat 1453 b- defN 80-Jan-01 00:00 [Content_Types].xml
-rw---- 4.5 fat 665 b- defN 80-Jan-01 00:00 docProps/app.xml
-rw---- 4.5 fat 466 b- stor 80-Jan-01 00:00 [trash]/0000.dat
-rw---- 4.5 fat 2809 b- defN 80-Jan-01 00:00 word\document.xml
-rw---- 4.5 fat 1574 b- defN 80-Jan-01 00:00 word\fontTable.xml
-rw---- 4.5 fat 3051 b- defN 80-Jan-01 00:00 word\settings.xml
-rw---- 4.5 fat 42438 b- defN 80-Jan-01 00:00 word\styles.xml
-rw---- 4.5 fat 2619 b- defN 80-Jan-01 00:00 word\vbaData.xml
-rw---- 4.5 fat 13824 b- defN 80-Jan-01 00:00 word\vbaProject.bin
-rw---- 4.5 fat 894 b- defN 80-Jan-01 00:00 word\webSettings.xml
-rw---- 4.5 fat 8397 b- defN 80-Jan-01 00:00 word\theme\theme1.xml
-rw---- 4.5 fat 939 b- defN 80-Jan-01 00:00 word\_rels\document.xml.rels
-rw---- 4.5 fat 277 b- defN 80-Jan-01 00:00 word\_rels\vbaProject.bin.rels
-rw---- 4.5 fat 590 b- defN 80-Jan-01 00:00 _rels\.rels
-rw---- 4.5 fat 709 b- defN 80-Jan-01 00:00 docProps/core.xml
15 files, 80705 bytes uncompressed, 15698 bytes compressed: 80.5%
It is a .docm file with some macro (vbaProject.bin). Let’s run the olevba tool:
$ olevba trampling
olevba 0.60.1 on Python 3.11.8 - http://decalage.info/python/oletools
[...]
VBA MACRO ThisDocument.cls
in file: word\vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
Dim x As String
x = chr(8876856 / CLng("&H153f4")) & chr(8416332 / CLng("&H13069")) & chr(-25455 + CLng("&H63d0")) & chr(CLng("&Hf93e") - 63703) & chr(5079285 / CLng("&Ha14f")) & chr(8720320 / CLng("&H11e40")) & chr(-55616 + CLng("&Hd974")) & chr(-3695 + CLng("&Hee2")) & chr(-92446 + CLng("&H1698c")) & chr(-51178 + CLng("&Hc85e")) & chr(-11034 + CLng("&H2b79")) & chr(-92092 + CLng("&H16825")) & chr(9364448 / CLng("&H13b58")) & chr(2261665 / CLng("&H5cff")) & chr(-7700 + CLng("&H1e88")) & chr(-50681 + CLng("&Hc629")) & chr(-41324 + CLng("&Ha19c")) & chr(CLng("&Hf9db") - 63868) & chr(CLng("&H6689") - 26198) & chr(116116 / CLng("&H8b9")) & chr(857900 / CLng("&H1d24")) & chr(8993083 / CLng("&H12253")) & chr(2150883 / CLng("&H855d")) & chr(12030375 / CLng("&H177f3"))
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|VBA Stomping |VBA Stomping was detected: the VBA source |
| | |code and P-code are different, this may have |
| | |been used to hide malicious code |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues
We got something, however it is a red hering: as we can see the tool says:
VBA Stomping was detected: the VBA source code and P-code are different, this may have been used to hide malicious code.
We can use the --show-pcode option to print the P-code:
$ olevba --show-pcode trampling
olevba 0.60.1 on Python 3.11.8 - http://decalage.info/python/oletools
===============================================================================
FILE: trampling
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word\vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
Dim x As String
x = chr(8876856 / CLng("&H153f4")) & chr(8416332 / CLng("&H13069")) & chr(-25455 + CLng("&H63d0")) & chr(CLng("&Hf93e") - 63703) & chr(5079285 / CLng("&Ha14f")) & chr(8720320 / CLng("&H11e40")) & chr(-55616 + CLng("&Hd974")) & chr(-3695 + CLng("&Hee2")) & chr(-92446 + CLng("&H1698c")) & chr(-51178 + CLng("&Hc85e")) & chr(-11034 + CLng("&H2b79")) & chr(-92092 + CLng("&H16825")) & chr(9364448 / CLng("&H13b58")) & chr(2261665 / CLng("&H5cff")) & chr(-7700 + CLng("&H1e88")) & chr(-50681 + CLng("&Hc629")) & chr(-41324 + CLng("&Ha19c")) & chr(CLng("&Hf9db") - 63868) & chr(CLng("&H6689") - 26198) & chr(116116 / CLng("&H8b9")) & chr(857900 / CLng("&H1d24")) & chr(8993083 / CLng("&H12253")) & chr(2150883 / CLng("&H855d")) & chr(12030375 / CLng("&H177f3"))
End Sub
-------------------------------------------------------------------------------
P-CODE disassembly:
Processing file: trampling
===============================================================================
Module streams:
VBA/ThisDocument - 6239 bytes
Line #0:
FuncDefn (Sub AutoOpen())
Line #1:
Dim
VarDefn reheyxuwczkdfibprd (As String)
Line #2:
LitStr 0x0004 "2648"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0006 "356231"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
LitDI2 0x056E
Sub
ArgsLd Chr 0x0001
LitStr 0x0004 "2648"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0008 "38363639"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
LitDI4 0x85FA 0x0000
Sub
ArgsLd Chr 0x0001
Concat
LitDI4 0xF2F5 0x0032
LitStr 0x0004 "2648"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0008 "37376139"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
Div
ArgsLd Chr 0x0001
Concat
LitDI4 0xECE5 0x0000
UMi
LitStr 0x0004 "2648"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0008 "65643535"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
LitDI4 0xFB79 0x0000
UMi
LitStr 0x0008 "26486662"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0004 "6461"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
LitStr 0x0004 "2648"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0008 "37346539"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
LitDI2 0x747B
Sub
ArgsLd Chr 0x0001
Concat
LitDI4 0xEFF3 0x0000
UMi
LitStr 0x0008 "26486630"
ArgsLd stvxkonagjkfkrd 0x0001
LitStr 0x0004 "3663"
ArgsLd stvxkonagjkfkrd 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
St reheyxuwczkdfibprd
Line #3:
Dim
VarDefn pdntatjcheryquiar (As String)
Line #4:
Ld reheyxuwczkdfibprd
ArgsLd ADP 0x0001
St pdntatjcheryquiar
Line #5:
Dim
VarDefn edzbgjugomlsj (As String)
Line #6:
Ld AD
Ld pdntatjcheryquiar
ArgsLd butsqagaopvcnoodtck 0x0002
St edzbgjugomlsj
Line #7:
EndSub
Line #8:
FuncDefn (Function azrppchfhrleghj(ByVal aquxseofc As String) As String)
Line #9:
Dim
VarDefn twhbejgysk (As Long)
Line #10:
StartForVariable
Ld twhbejgysk
EndForVariable
LitDI2 0x0001
Ld aquxseofc
FnLen
LitDI2 0x0002
ForStep
Line #11:
Ld azrppchfhrleghj
LitStr 0x0002 "&H"
Ld aquxseofc
Ld twhbejgysk
LitDI2 0x0002
ArgsLd Mid$ 0x0003
Concat
ArgsLd Val 0x0001
ArgsLd Chr$ 0x0001
Concat
St azrppchfhrleghj
Line #12:
StartForVariable
Ld twhbejgysk
EndForVariable
NextVar
Line #13:
EndFunc
Line #14:
FuncDefn (Function AD(id_FFFE As Object) As Object)
Line #15:
SetStmt
Ld ActiveDocument
Set AD
Line #16:
EndFunc
Line #17:
FuncDefn (Function butsqagaopvcnoodtck(d As ))
Line #18:
Dim
VarDefn idklxrap (As String)
Line #19:
Dim
VarDefn tudjxdzot (As Integer)
Line #20:
Dim
VarDefn nyquvvyrkpzfugrtfm (As Integer)
Line #21:
Ld vwkwcizm
FnLen
St nyquvvyrkpzfugrtfm
Line #22:
Dim
VarDefn vbfjerof (As String)
Line #23:
Dim
VarDefn lfrwvvp (As String)
Line #24:
Dim
VarDefn saaadoyb (As String)
Line #25:
Dim
VarDefn dsvwnqv (As String)
Line #26:
Dim
VarDefn wtvpzqnfaghargqw (As Integer)
Line #27:
Dim
VarDefn twvkuxkbx (As Integer)
Line #28:
Dim
VarDefn ogygbitmb (As Integer)
Line #29:
Dim
VarDefn eichgukxdf (As String)
Line #30:
Dim
VarDefn i
VarDefn j
VarDefn ytqsckoletsicsxcc (As Integer)
Line #31:
LitStr 0x0004 "2648"
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0003 "616"
LitStr 0x0005 "63131"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
LitDI4 0xAECE 0x0000
Sub
ArgsLd Chr 0x0001
LitDI4 0x1239 0x000C
LitStr 0x0004 "2648"
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0003 "316"
LitStr 0x0005 "26437"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
Div
ArgsLd Chr 0x0001
Concat
LitDI2 0x2C6F
UMi
LitStr 0x0004 "2648"
LitStr 0x0002 "32"
Concat
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0003 "636"
LitStr 0x0003 "463"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
LitStr 0x0006 "264865"
LitStr 0x0002 "39"
Concat
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0004 "6232"
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
LitDI4 0xE945 0x0000
Sub
ArgsLd Chr 0x0001
Concat
LitDI2 0x58BB
UMi
LitStr 0x0002 "26"
LitStr 0x0004 "4835"
Concat
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0003 "393"
LitStr 0x0003 "230"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
LitDI2 0x0274
UMi
LitStr 0x0004 "2648"
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0004 "3265"
LitStr 0x0002 "32"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
LitDI4 0x2C58 0x0001
UMi
LitStr 0x0004 "2648"
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0005 "31326"
LitStr 0x0005 "36363"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
Add
ArgsLd Chr 0x0001
Concat
LitStr 0x0004 "2648"
ArgsLd azrppchfhrleghj 0x0001
LitStr 0x0004 "3465"
LitStr 0x0004 "6562"
Concat
ArgsLd azrppchfhrleghj 0x0001
Concat
Coerce (Lng)
LitDI2 0x4E78
Sub
ArgsLd Chr 0x0001
Concat
St lfrwvvp
Line #32:
Ld lfrwvvp
Ld d
ArgsMemLd BuiltInDocumentProperties 0x0001
St idklxrap
Line #33:
ArgsCall Randomize 0x0000
Line #34:
LitDI2 0x000F
LitDI2 0x0005
Sub
LitDI2 0x0001
Add
Paren
Ld Rnd
Mul
LitDI2 0x0005
Add
FnInt
St wtvpzqnfaghargqw
Line #35:
LitDI2 0x0041
St twvkuxkbx
Line #36:
LitDI2 0x005A
St ogygbitmb
Line #37:
StartForVariable
Ld i
EndForVariable
LitDI2 0x0001
Ld wtvpzqnfaghargqw
For
Line #38:
Ld ogygbitmb
Ld twvkuxkbx
Sub
LitDI2 0x0001
Add
Paren
Ld Rnd
Mul
Ld twvkuxkbx
Add
FnInt
ArgsLd Chr 0x0001
St eichgukxdf
Line #39:
Ld saaadoyb
Ld eichgukxdf
Concat
St saaadoyb
Line #40:
StartForVariable
Ld i
EndForVariable
NextVar
Line #41:
StartForVariable
Ld i
EndForVariable
LitDI2 0x0001
Ld saaadoyb
FnLen
For
Line #42:
StartForVariable
Ld j
EndForVariable
LitDI2 0x0001
Ld i
For
Line #43:
StartForVariable
Ld ytqsckoletsicsxcc
EndForVariable
LitDI2 0x0001
Ld j
For
Line #44:
Ld dsvwnqv
Ld saaadoyb
Ld ytqsckoletsicsxcc
LitDI2 0x0001
ArgsLd Mid 0x0003
Concat
St dsvwnqv
Line #45:
StartForVariable
Ld ytqsckoletsicsxcc
EndForVariable
NextVar
Line #46:
StartForVariable
Ld j
EndForVariable
NextVar
Line #47:
StartForVariable
Ld i
EndForVariable
NextVar
Line #48:
StartForVariable
Ld tudjxdzot
EndForVariable
LitDI2 0x0001
Ld idklxrap
FnLen
For
Line #49:
Dim
VarDefn iryyloqwtrxwrirrxtm (As Integer)
Line #50:
Dim
VarDefn hxmbhpuzqkuxhwks (As Integer)
Line #51:
Dim
VarDefn dwhiuxllel (As Integer)
Line #52:
Ld idklxrap
Ld tudjxdzot
LitDI2 0x0001
ArgsLd Mid 0x0003
ArgsLd AscW 0x0001
St iryyloqwtrxwrirrxtm
Line #53:
Ld vwkwcizm
Ld tudjxdzot
LitDI2 0x0001
Sub
Paren
Ld nyquvvyrkpzfugrtfm
Mod
LitDI2 0x0001
Add
LitDI2 0x0001
ArgsLd Mid 0x0003
ArgsLd AscW 0x0001
St hxmbhpuzqkuxhwks
Line #54:
Ld iryyloqwtrxwrirrxtm
Ld hxmbhpuzqkuxhwks
Sub
St dwhiuxllel
Line #55:
Ld vbfjerof
Ld dwhiuxllel
ArgsLd ChrW 0x0001
Concat
St vbfjerof
Line #56:
Ld vbfjerof
St butsqagaopvcnoodtck
Line #57:
StartForVariable
Next
Line #58:
ArgsCall Randomize 0x0000
Line #59:
LitDI2 0x000F
LitDI2 0x0005
Sub
LitDI2 0x0001
Add
Paren
Ld Rnd
Mul
LitDI2 0x0005
Add
FnInt
St wtvpzqnfaghargqw
Line #60:
LitDI2 0x0041
St twvkuxkbx
Line #61:
LitDI2 0x005A
St ogygbitmb
Line #62:
StartForVariable
Ld i
EndForVariable
LitDI2 0x0001
Ld wtvpzqnfaghargqw
For
Line #63:
Ld ogygbitmb
Ld twvkuxkbx
Sub
LitDI2 0x0001
Add
Paren
Ld Rnd
Mul
Ld twvkuxkbx
Add
FnInt
ArgsLd Chr 0x0001
St eichgukxdf
Line #64:
Ld saaadoyb
Ld eichgukxdf
Concat
St saaadoyb
Line #65:
StartForVariable
Ld i
EndForVariable
NextVar
Line #66:
StartForVariable
Ld i
EndForVariable
LitDI2 0x0001
Ld saaadoyb
FnLen
For
Line #67:
StartForVariable
Ld j
EndForVariable
LitDI2 0x0001
Ld i
For
Line #68:
StartForVariable
Ld ytqsckoletsicsxcc
EndForVariable
LitDI2 0x0001
Ld j
For
Line #69:
Ld dsvwnqv
Ld saaadoyb
Ld ytqsckoletsicsxcc
LitDI2 0x0001
ArgsLd Mid 0x0003
Concat
St dsvwnqv
Line #70:
StartForVariable
Ld ytqsckoletsicsxcc
EndForVariable
NextVar
Line #71:
StartForVariable
Ld j
EndForVariable
NextVar
Line #72:
StartForVariable
Ld i
EndForVariable
NextVar
Line #73:
EndFunc
Line #74:
FuncDefn (Function vbfuhiiejlduxfx(ByVal ozgivtdgg As String) As String)
Line #75:
Dim
VarDefn achsuflnqe (As Long)
Line #76:
StartForVariable
Ld achsuflnqe
EndForVariable
LitDI2 0x0001
Ld ozgivtdgg
FnLen
LitDI2 0x0002
ForStep
Line #77:
Ld vbfuhiiejlduxfx
LitStr 0x0002 "&H"
Ld ozgivtdgg
Ld achsuflnqe
LitDI2 0x0002
ArgsLd Mid$ 0x0003
Concat
ArgsLd Val 0x0001
ArgsLd Chr$ 0x0001
Concat
St vbfuhiiejlduxfx
Line #78:
StartForVariable
Ld achsuflnqe
EndForVariable
NextVar
Line #79:
EndFunc
Line #80:
FuncDefn (Function ADP(p As String))
Line #81:
Ld p
Ld ActiveDocument
ArgsMemLd BuiltInDocumentProperties 0x0001
St ADP
Line #82:
EndFunc
Line #83:
FuncDefn (Function stvxkonagjkfkrd(ByVal rwqarxcyt As String) As String)
Line #84:
Dim
VarDefn iappkmhqcm (As Long)
Line #85:
StartForVariable
Ld iappkmhqcm
EndForVariable
LitDI2 0x0001
Ld rwqarxcyt
FnLen
LitDI2 0x0002
ForStep
Line #86:
Ld stvxkonagjkfkrd
LitStr 0x0002 "&H"
Ld rwqarxcyt
Ld iappkmhqcm
LitDI2 0x0002
ArgsLd Mid$ 0x0003
Concat
ArgsLd Val 0x0001
ArgsLd Chr$ 0x0001
Concat
St stvxkonagjkfkrd
Line #87:
StartForVariable
Ld iappkmhqcm
EndForVariable
NextVar
Line #88:
EndFunc
Line #89:
Line #90:
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|VBA Stomping |VBA Stomping was detected: the VBA source |
| | |code and P-code are different, this may have |
| | |been used to hide malicious code |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues
I didn’t really want to understand the p-code, only as a last resort. Luckily, I’ve found a decompiler: https://github.com/Big5-sec/pcode2code. It could almost perfectly recover the source code:
$ pcode2code trampling
stream : VBA/ThisDocument - 6239 bytes
########################################
Sub AutoOpen()
Dim reheyxuwczkdfibprd As String
reheyxuwczkdfibprd = Chr(CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("356231")) - 1390) & Chr(CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("38363639")) - 34298) & Chr(3338997 / CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("37376139"))) & Chr(-60645 + CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("65643535"))) & Chr(-64377 + CLng(stvxkonagjkfkrd("26486662") & stvxkonagjkfkrd("6461"))) & Chr(CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("37346539")) - 29819) & Chr(-61427 + CLng(stvxkonagjkfkrd("26486630") & stvxkonagjkfkrd("3663")))
Dim pdntatjcheryquiar As String
pdntatjcheryquiar = ADP(reheyxuwczkdfibprd)
Dim edzbgjugomlsj As String
edzbgjugomlsj = butsqagaopvcnoodtck(AD, pdntatjcheryquiar)
End Sub
Function azrppchfhrleghj(ByVal aquxseofc As String) As String
Dim twhbejgysk As Long
For twhbejgysk = 1 To Len(aquxseofc) Step 2
azrppchfhrleghj = azrppchfhrleghj & Chr$(Val("&H" & Mid$(aquxseofc, twhbejgysk, 2)))
Next twhbejgysk
End Function
Function AD(id_FFFE As Object) As Object
Set AD = ActiveDocument
End Function
Function butsqagaopvcnoodtck(d As )
Dim idklxrap As String
Dim tudjxdzot As Integer
Dim nyquvvyrkpzfugrtfm As Integer
nyquvvyrkpzfugrtfm = Len(vwkwcizm)
Dim vbfjerof As String
Dim lfrwvvp As String
Dim saaadoyb As String
Dim dsvwnqv As String
Dim wtvpzqnfaghargqw As Integer
Dim twvkuxkbx As Integer
Dim ogygbitmb As Integer
Dim eichgukxdf As String
Dim i, j, ytqsckoletsicsxcc As Integer
lfrwvvp = Chr(CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("616" & "63131")) - 44750) & Chr(791097 / CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("316" & "26437"))) & Chr(-11375 + CLng(azrppchfhrleghj("2648" & "32") & azrppchfhrleghj("636" & "463"))) & Chr(CLng(azrppchfhrleghj("264865" & "39") & azrppchfhrleghj("6232")) - 59717) & Chr(-22715 + CLng(azrppchfhrleghj("26" & "4835") & azrppchfhrleghj("393" & "230"))) & Chr(-628 + CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("3265" & "32"))) & Chr(-76888 + CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("31326" & "36363"))) & Chr(CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("3465" & "6562")) - 20088)
idklxrap = d.BuiltInDocumentProperties(lfrwvvp)
Randomize
wtvpzqnfaghargqw = int((15 - 5 + 1) * Rnd + 5)
twvkuxkbx = 65
ogygbitmb = 90
For i = 1 To wtvpzqnfaghargqw
eichgukxdf = Chr(int((ogygbitmb - twvkuxkbx + 1) * Rnd + twvkuxkbx))
saaadoyb = saaadoyb & eichgukxdf
Next i
For i = 1 To Len(saaadoyb)
For j = 1 To i
For ytqsckoletsicsxcc = 1 To j
dsvwnqv = dsvwnqv & Mid(saaadoyb, ytqsckoletsicsxcc, 1)
Next ytqsckoletsicsxcc
Next j
Next i
For tudjxdzot = 1 To Len(idklxrap)
Dim iryyloqwtrxwrirrxtm As Integer
Dim hxmbhpuzqkuxhwks As Integer
Dim dwhiuxllel As Integer
iryyloqwtrxwrirrxtm = AscW(Mid(idklxrap, tudjxdzot, 1))
hxmbhpuzqkuxhwks = AscW(Mid(vwkwcizm, (tudjxdzot - 1) Mod nyquvvyrkpzfugrtfm + 1, 1))
dwhiuxllel = iryyloqwtrxwrirrxtm - hxmbhpuzqkuxhwks
vbfjerof = vbfjerof & ChrW(dwhiuxllel)
butsqagaopvcnoodtck = vbfjerof
Next
Randomize
wtvpzqnfaghargqw = int((15 - 5 + 1) * Rnd + 5)
twvkuxkbx = 65
ogygbitmb = 90
For i = 1 To wtvpzqnfaghargqw
eichgukxdf = Chr(int((ogygbitmb - twvkuxkbx + 1) * Rnd + twvkuxkbx))
saaadoyb = saaadoyb & eichgukxdf
Next i
For i = 1 To Len(saaadoyb)
For j = 1 To i
For ytqsckoletsicsxcc = 1 To j
dsvwnqv = dsvwnqv & Mid(saaadoyb, ytqsckoletsicsxcc, 1)
Next ytqsckoletsicsxcc
Next j
Next i
End Function
Function vbfuhiiejlduxfx(ByVal ozgivtdgg As String) As String
Dim achsuflnqe As Long
For achsuflnqe = 1 To Len(ozgivtdgg) Step 2
vbfuhiiejlduxfx = vbfuhiiejlduxfx & Chr$(Val("&H" & Mid$(ozgivtdgg, achsuflnqe, 2)))
Next achsuflnqe
End Function
Function ADP(p As String)
ADP = ActiveDocument.BuiltInDocumentProperties(p)
End Function
Function stvxkonagjkfkrd(ByVal rwqarxcyt As String) As String
Dim iappkmhqcm As Long
For iappkmhqcm = 1 To Len(rwqarxcyt) Step 2
stvxkonagjkfkrd = stvxkonagjkfkrd & Chr$(Val("&H" & Mid$(rwqarxcyt, iappkmhqcm, 2)))
Next iappkmhqcm
End Function
The created VBA code is not 100% correct. If we open the original document (rename it to .docm first) in Word and create a new macro and paste it in, we will get some syntax / compile time errors:
- In the
Function butsqagaopvcnoodtck(d As )line, there are some arguments missing. A working solution isFunction butsqagaopvcnoodtck(d, vwkwcizm) - In the
edzbgjugomlsj = butsqagaopvcnoodtck(AD, pdntatjcheryquiar)line, theADfunction requires a parameter, but we didn’t provide any. Just remove the parameter, it is not used in the function:Function AD(id_FFFE As Object) As Object->Function AD() As Object
Open the Immediate Window (Ctrl + G). Add Debug.Print edzbgjugomlsj to the last line of the AutoOpen function (to just print the result of the last function call). And execute the macro.
This dynamic execution only works if we use the provided document, as the macro gets some properties of the document and uses them to create the flag (like the company and the description of the document). If we unzip the document, the docProps/core.xml file contains the description of the document. This is read by the macro itself:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><cp:keywords></cp:keywords><dc:description>¬¶µêØ£àͬ¿¥¦Îæãá½²ÑÙÎÅ¥¦¥§¤¥Ê</dc:description><dcterms:created xsi:type="dcterms:W3CDTF">2024-04-02T14:58:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2024-04-02T15:05:00Z</dcterms:modified></cp:coreProperties>
Flag: HCSC{e4zY_VB4_st0mpIng_!!_1928464521}