tkh4ck.github.io

Personal website and blog of tkh4ck

View on GitHub

HCSC 2024 - Trampling

Description

Úgy tűnik, hogy ez az e-mail melléklet nem működik. Az irodában régi szövegszerkesztőket használunk. Ez lehet az oka? Pw az archívumhoz: definitelyNotInfected

Flag format: HCSC{}

Hint 1 (cost 200): A szeizmográf általában a föld mozgásának mérésére szolgáló eszköz. Talán ez esetben VBA elemzésre is használható?

Metadata

Solution

We have a trampling file without extension. file identifies it as Microsoft OOXML which means it might be the newer format of Word / Excel / PowerPoint. Those are basically ZIP files so we can try to identify the correct extension using zipinfo:

$ file trampling                        
trampling: Microsoft OOXML

$ zipinfo trampling                                         
Archive:  trampling
Zip file size: 17478 bytes, number of entries: 15
-rw----     4.5 fat     1453 b- defN 80-Jan-01 00:00 [Content_Types].xml
-rw----     4.5 fat      665 b- defN 80-Jan-01 00:00 docProps/app.xml
-rw----     4.5 fat      466 b- stor 80-Jan-01 00:00 [trash]/0000.dat
-rw----     4.5 fat     2809 b- defN 80-Jan-01 00:00 word\document.xml
-rw----     4.5 fat     1574 b- defN 80-Jan-01 00:00 word\fontTable.xml
-rw----     4.5 fat     3051 b- defN 80-Jan-01 00:00 word\settings.xml
-rw----     4.5 fat    42438 b- defN 80-Jan-01 00:00 word\styles.xml
-rw----     4.5 fat     2619 b- defN 80-Jan-01 00:00 word\vbaData.xml
-rw----     4.5 fat    13824 b- defN 80-Jan-01 00:00 word\vbaProject.bin
-rw----     4.5 fat      894 b- defN 80-Jan-01 00:00 word\webSettings.xml
-rw----     4.5 fat     8397 b- defN 80-Jan-01 00:00 word\theme\theme1.xml
-rw----     4.5 fat      939 b- defN 80-Jan-01 00:00 word\_rels\document.xml.rels
-rw----     4.5 fat      277 b- defN 80-Jan-01 00:00 word\_rels\vbaProject.bin.rels
-rw----     4.5 fat      590 b- defN 80-Jan-01 00:00 _rels\.rels
-rw----     4.5 fat      709 b- defN 80-Jan-01 00:00 docProps/core.xml
15 files, 80705 bytes uncompressed, 15698 bytes compressed:  80.5%

It is a .docm file with some macro (vbaProject.bin). Let’s run the olevba tool:

$ olevba trampling 
olevba 0.60.1 on Python 3.11.8 - http://decalage.info/python/oletools
[...]
VBA MACRO ThisDocument.cls 
in file: word\vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AutoOpen()
    Dim x As String
    x = chr(8876856 / CLng("&H153f4")) & chr(8416332 / CLng("&H13069")) & chr(-25455 + CLng("&H63d0")) & chr(CLng("&Hf93e") - 63703) & chr(5079285 / CLng("&Ha14f")) & chr(8720320 / CLng("&H11e40")) & chr(-55616 + CLng("&Hd974")) & chr(-3695 + CLng("&Hee2")) & chr(-92446 + CLng("&H1698c")) & chr(-51178 + CLng("&Hc85e")) & chr(-11034 + CLng("&H2b79")) & chr(-92092 + CLng("&H16825")) & chr(9364448 / CLng("&H13b58")) & chr(2261665 / CLng("&H5cff")) & chr(-7700 + CLng("&H1e88")) & chr(-50681 + CLng("&Hc629")) & chr(-41324 + CLng("&Ha19c")) & chr(CLng("&Hf9db") - 63868) & chr(CLng("&H6689") - 26198) & chr(116116 / CLng("&H8b9")) & chr(857900 / CLng("&H1d24")) & chr(8993083 / CLng("&H12253")) & chr(2150883 / CLng("&H855d")) & chr(12030375 / CLng("&H177f3"))
End Sub
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|Suspicious|chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|VBA Stomping        |VBA Stomping was detected: the VBA source    |
|          |                    |code and P-code are different, this may have |
|          |                    |been used to hide malicious code             |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues

We got something, however it is a red hering: as we can see the tool says:

VBA Stomping was detected: the VBA source code and P-code are different, this may have been used to hide malicious code.

We can use the --show-pcode option to print the P-code:

$ olevba --show-pcode trampling
olevba 0.60.1 on Python 3.11.8 - http://decalage.info/python/oletools
===============================================================================
FILE: trampling
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: word\vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub AutoOpen()
    Dim x As String
    x = chr(8876856 / CLng("&H153f4")) & chr(8416332 / CLng("&H13069")) & chr(-25455 + CLng("&H63d0")) & chr(CLng("&Hf93e") - 63703) & chr(5079285 / CLng("&Ha14f")) & chr(8720320 / CLng("&H11e40")) & chr(-55616 + CLng("&Hd974")) & chr(-3695 + CLng("&Hee2")) & chr(-92446 + CLng("&H1698c")) & chr(-51178 + CLng("&Hc85e")) & chr(-11034 + CLng("&H2b79")) & chr(-92092 + CLng("&H16825")) & chr(9364448 / CLng("&H13b58")) & chr(2261665 / CLng("&H5cff")) & chr(-7700 + CLng("&H1e88")) & chr(-50681 + CLng("&Hc629")) & chr(-41324 + CLng("&Ha19c")) & chr(CLng("&Hf9db") - 63868) & chr(CLng("&H6689") - 26198) & chr(116116 / CLng("&H8b9")) & chr(857900 / CLng("&H1d24")) & chr(8993083 / CLng("&H12253")) & chr(2150883 / CLng("&H855d")) & chr(12030375 / CLng("&H177f3"))
End Sub
-------------------------------------------------------------------------------
P-CODE disassembly:
Processing file: trampling
===============================================================================
Module streams:
VBA/ThisDocument - 6239 bytes
Line #0:
        FuncDefn (Sub AutoOpen())
Line #1:
        Dim 
        VarDefn reheyxuwczkdfibprd (As String)
Line #2:
        LitStr 0x0004 "2648"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0006 "356231"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        LitDI2 0x056E 
        Sub 
        ArgsLd Chr 0x0001 
        LitStr 0x0004 "2648"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0008 "38363639"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        LitDI4 0x85FA 0x0000 
        Sub 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI4 0xF2F5 0x0032 
        LitStr 0x0004 "2648"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0008 "37376139"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        Div 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI4 0xECE5 0x0000 
        UMi 
        LitStr 0x0004 "2648"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0008 "65643535"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI4 0xFB79 0x0000 
        UMi 
        LitStr 0x0008 "26486662"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0004 "6461"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        LitStr 0x0004 "2648"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0008 "37346539"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        LitDI2 0x747B 
        Sub 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI4 0xEFF3 0x0000 
        UMi 
        LitStr 0x0008 "26486630"
        ArgsLd stvxkonagjkfkrd 0x0001 
        LitStr 0x0004 "3663"
        ArgsLd stvxkonagjkfkrd 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        St reheyxuwczkdfibprd 
Line #3:
        Dim 
        VarDefn pdntatjcheryquiar (As String)
Line #4:
        Ld reheyxuwczkdfibprd 
        ArgsLd ADP 0x0001 
        St pdntatjcheryquiar 
Line #5:
        Dim 
        VarDefn edzbgjugomlsj (As String)
Line #6:
        Ld AD 
        Ld pdntatjcheryquiar 
        ArgsLd butsqagaopvcnoodtck 0x0002 
        St edzbgjugomlsj 
Line #7:
        EndSub 
Line #8:
        FuncDefn (Function azrppchfhrleghj(ByVal aquxseofc As String) As String)
Line #9:
        Dim 
        VarDefn twhbejgysk (As Long)
Line #10:
        StartForVariable 
        Ld twhbejgysk 
        EndForVariable 
        LitDI2 0x0001 
        Ld aquxseofc 
        FnLen 
        LitDI2 0x0002 
        ForStep 
Line #11:
        Ld azrppchfhrleghj 
        LitStr 0x0002 "&H"
        Ld aquxseofc 
        Ld twhbejgysk 
        LitDI2 0x0002 
        ArgsLd Mid$ 0x0003 
        Concat 
        ArgsLd Val 0x0001 
        ArgsLd Chr$ 0x0001 
        Concat 
        St azrppchfhrleghj 
Line #12:
        StartForVariable 
        Ld twhbejgysk 
        EndForVariable 
        NextVar 
Line #13:
        EndFunc 
Line #14:
        FuncDefn (Function AD(id_FFFE As Object) As Object)
Line #15:
        SetStmt 
        Ld ActiveDocument 
        Set AD 
Line #16:
        EndFunc 
Line #17:
        FuncDefn (Function butsqagaopvcnoodtck(d As ))
Line #18:
        Dim 
        VarDefn idklxrap (As String)
Line #19:
        Dim 
        VarDefn tudjxdzot (As Integer)
Line #20:
        Dim 
        VarDefn nyquvvyrkpzfugrtfm (As Integer)
Line #21:
        Ld vwkwcizm 
        FnLen 
        St nyquvvyrkpzfugrtfm 
Line #22:
        Dim 
        VarDefn vbfjerof (As String)
Line #23:
        Dim 
        VarDefn lfrwvvp (As String)
Line #24:
        Dim 
        VarDefn saaadoyb (As String)
Line #25:
        Dim 
        VarDefn dsvwnqv (As String)
Line #26:
        Dim 
        VarDefn wtvpzqnfaghargqw (As Integer)
Line #27:
        Dim 
        VarDefn twvkuxkbx (As Integer)
Line #28:
        Dim 
        VarDefn ogygbitmb (As Integer)
Line #29:
        Dim 
        VarDefn eichgukxdf (As String)
Line #30:
        Dim 
        VarDefn i
        VarDefn j
        VarDefn ytqsckoletsicsxcc (As Integer)
Line #31:
        LitStr 0x0004 "2648"
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0003 "616"
        LitStr 0x0005 "63131"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        LitDI4 0xAECE 0x0000 
        Sub 
        ArgsLd Chr 0x0001 
        LitDI4 0x1239 0x000C 
        LitStr 0x0004 "2648"
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0003 "316"
        LitStr 0x0005 "26437"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        Div 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI2 0x2C6F 
        UMi 
        LitStr 0x0004 "2648"
        LitStr 0x0002 "32"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0003 "636"
        LitStr 0x0003 "463"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        LitStr 0x0006 "264865"
        LitStr 0x0002 "39"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0004 "6232"
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        LitDI4 0xE945 0x0000 
        Sub 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI2 0x58BB 
        UMi 
        LitStr 0x0002 "26"
        LitStr 0x0004 "4835"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0003 "393"
        LitStr 0x0003 "230"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI2 0x0274 
        UMi 
        LitStr 0x0004 "2648"
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0004 "3265"
        LitStr 0x0002 "32"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        LitDI4 0x2C58 0x0001 
        UMi 
        LitStr 0x0004 "2648"
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0005 "31326"
        LitStr 0x0005 "36363"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        Add 
        ArgsLd Chr 0x0001 
        Concat 
        LitStr 0x0004 "2648"
        ArgsLd azrppchfhrleghj 0x0001 
        LitStr 0x0004 "3465"
        LitStr 0x0004 "6562"
        Concat 
        ArgsLd azrppchfhrleghj 0x0001 
        Concat 
        Coerce (Lng) 
        LitDI2 0x4E78 
        Sub 
        ArgsLd Chr 0x0001 
        Concat 
        St lfrwvvp 
Line #32:
        Ld lfrwvvp 
        Ld d 
        ArgsMemLd BuiltInDocumentProperties 0x0001 
        St idklxrap 
Line #33:
        ArgsCall Randomize 0x0000 
Line #34:
        LitDI2 0x000F 
        LitDI2 0x0005 
        Sub 
        LitDI2 0x0001 
        Add 
        Paren 
        Ld Rnd 
        Mul 
        LitDI2 0x0005 
        Add 
        FnInt 
        St wtvpzqnfaghargqw 
Line #35:
        LitDI2 0x0041 
        St twvkuxkbx 
Line #36:
        LitDI2 0x005A 
        St ogygbitmb 
Line #37:
        StartForVariable 
        Ld i 
        EndForVariable 
        LitDI2 0x0001 
        Ld wtvpzqnfaghargqw 
        For 
Line #38:
        Ld ogygbitmb 
        Ld twvkuxkbx 
        Sub 
        LitDI2 0x0001 
        Add 
        Paren 
        Ld Rnd 
        Mul 
        Ld twvkuxkbx 
        Add 
        FnInt 
        ArgsLd Chr 0x0001 
        St eichgukxdf 
Line #39:
        Ld saaadoyb 
        Ld eichgukxdf 
        Concat 
        St saaadoyb 
Line #40:
        StartForVariable 
        Ld i 
        EndForVariable 
        NextVar 
Line #41:
        StartForVariable 
        Ld i 
        EndForVariable 
        LitDI2 0x0001 
        Ld saaadoyb 
        FnLen 
        For 
Line #42:
        StartForVariable 
        Ld j 
        EndForVariable 
        LitDI2 0x0001 
        Ld i 
        For 
Line #43:
        StartForVariable 
        Ld ytqsckoletsicsxcc 
        EndForVariable 
        LitDI2 0x0001 
        Ld j 
        For 
Line #44:
        Ld dsvwnqv 
        Ld saaadoyb 
        Ld ytqsckoletsicsxcc 
        LitDI2 0x0001 
        ArgsLd Mid 0x0003 
        Concat 
        St dsvwnqv 
Line #45:
        StartForVariable 
        Ld ytqsckoletsicsxcc 
        EndForVariable 
        NextVar 
Line #46:
        StartForVariable 
        Ld j 
        EndForVariable 
        NextVar 
Line #47:
        StartForVariable 
        Ld i 
        EndForVariable 
        NextVar 
Line #48:
        StartForVariable 
        Ld tudjxdzot 
        EndForVariable 
        LitDI2 0x0001 
        Ld idklxrap 
        FnLen 
        For 
Line #49:
        Dim 
        VarDefn iryyloqwtrxwrirrxtm (As Integer)
Line #50:
        Dim 
        VarDefn hxmbhpuzqkuxhwks (As Integer)
Line #51:
        Dim 
        VarDefn dwhiuxllel (As Integer)
Line #52:
        Ld idklxrap 
        Ld tudjxdzot 
        LitDI2 0x0001 
        ArgsLd Mid 0x0003 
        ArgsLd AscW 0x0001 
        St iryyloqwtrxwrirrxtm 
Line #53:
        Ld vwkwcizm 
        Ld tudjxdzot 
        LitDI2 0x0001 
        Sub 
        Paren 
        Ld nyquvvyrkpzfugrtfm 
        Mod 
        LitDI2 0x0001 
        Add 
        LitDI2 0x0001 
        ArgsLd Mid 0x0003 
        ArgsLd AscW 0x0001 
        St hxmbhpuzqkuxhwks 
Line #54:
        Ld iryyloqwtrxwrirrxtm 
        Ld hxmbhpuzqkuxhwks 
        Sub 
        St dwhiuxllel 
Line #55:
        Ld vbfjerof 
        Ld dwhiuxllel 
        ArgsLd ChrW 0x0001 
        Concat 
        St vbfjerof 
Line #56:
        Ld vbfjerof 
        St butsqagaopvcnoodtck 
Line #57:
        StartForVariable 
        Next 
Line #58:
        ArgsCall Randomize 0x0000 
Line #59:
        LitDI2 0x000F 
        LitDI2 0x0005 
        Sub 
        LitDI2 0x0001 
        Add 
        Paren 
        Ld Rnd 
        Mul 
        LitDI2 0x0005 
        Add 
        FnInt 
        St wtvpzqnfaghargqw 
Line #60:
        LitDI2 0x0041 
        St twvkuxkbx 
Line #61:
        LitDI2 0x005A 
        St ogygbitmb 
Line #62:
        StartForVariable 
        Ld i 
        EndForVariable 
        LitDI2 0x0001 
        Ld wtvpzqnfaghargqw 
        For 
Line #63:
        Ld ogygbitmb 
        Ld twvkuxkbx 
        Sub 
        LitDI2 0x0001 
        Add 
        Paren 
        Ld Rnd 
        Mul 
        Ld twvkuxkbx 
        Add 
        FnInt 
        ArgsLd Chr 0x0001 
        St eichgukxdf 
Line #64:
        Ld saaadoyb 
        Ld eichgukxdf 
        Concat 
        St saaadoyb 
Line #65:
        StartForVariable 
        Ld i 
        EndForVariable 
        NextVar 
Line #66:
        StartForVariable 
        Ld i 
        EndForVariable 
        LitDI2 0x0001 
        Ld saaadoyb 
        FnLen 
        For 
Line #67:
        StartForVariable 
        Ld j 
        EndForVariable 
        LitDI2 0x0001 
        Ld i 
        For 
Line #68:
        StartForVariable 
        Ld ytqsckoletsicsxcc 
        EndForVariable 
        LitDI2 0x0001 
        Ld j 
        For 
Line #69:
        Ld dsvwnqv 
        Ld saaadoyb 
        Ld ytqsckoletsicsxcc 
        LitDI2 0x0001 
        ArgsLd Mid 0x0003 
        Concat 
        St dsvwnqv 
Line #70:
        StartForVariable 
        Ld ytqsckoletsicsxcc 
        EndForVariable 
        NextVar 
Line #71:
        StartForVariable 
        Ld j 
        EndForVariable 
        NextVar 
Line #72:
        StartForVariable 
        Ld i 
        EndForVariable 
        NextVar 
Line #73:
        EndFunc 
Line #74:
        FuncDefn (Function vbfuhiiejlduxfx(ByVal ozgivtdgg As String) As String)
Line #75:
        Dim 
        VarDefn achsuflnqe (As Long)
Line #76:
        StartForVariable 
        Ld achsuflnqe 
        EndForVariable 
        LitDI2 0x0001 
        Ld ozgivtdgg 
        FnLen 
        LitDI2 0x0002 
        ForStep 
Line #77:
        Ld vbfuhiiejlduxfx 
        LitStr 0x0002 "&H"
        Ld ozgivtdgg 
        Ld achsuflnqe 
        LitDI2 0x0002 
        ArgsLd Mid$ 0x0003 
        Concat 
        ArgsLd Val 0x0001 
        ArgsLd Chr$ 0x0001 
        Concat 
        St vbfuhiiejlduxfx 
Line #78:
        StartForVariable 
        Ld achsuflnqe 
        EndForVariable 
        NextVar 
Line #79:
        EndFunc 
Line #80:
        FuncDefn (Function ADP(p As String))
Line #81:
        Ld p 
        Ld ActiveDocument 
        ArgsMemLd BuiltInDocumentProperties 0x0001 
        St ADP 
Line #82:
        EndFunc 
Line #83:
        FuncDefn (Function stvxkonagjkfkrd(ByVal rwqarxcyt As String) As String)
Line #84:
        Dim 
        VarDefn iappkmhqcm (As Long)
Line #85:
        StartForVariable 
        Ld iappkmhqcm 
        EndForVariable 
        LitDI2 0x0001 
        Ld rwqarxcyt 
        FnLen 
        LitDI2 0x0002 
        ForStep 
Line #86:
        Ld stvxkonagjkfkrd 
        LitStr 0x0002 "&H"
        Ld rwqarxcyt 
        Ld iappkmhqcm 
        LitDI2 0x0002 
        ArgsLd Mid$ 0x0003 
        Concat 
        ArgsLd Val 0x0001 
        ArgsLd Chr$ 0x0001 
        Concat 
        St stvxkonagjkfkrd 
Line #87:
        StartForVariable 
        Ld iappkmhqcm 
        EndForVariable 
        NextVar 
Line #88:
        EndFunc 
Line #89:
Line #90:

+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|Suspicious|chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|VBA Stomping        |VBA Stomping was detected: the VBA source    |
|          |                    |code and P-code are different, this may have |
|          |                    |been used to hide malicious code             |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues

I didn’t really want to understand the p-code, only as a last resort. Luckily, I’ve found a decompiler: https://github.com/Big5-sec/pcode2code. It could almost perfectly recover the source code:

$ pcode2code trampling
stream : VBA/ThisDocument - 6239 bytes
########################################

Sub AutoOpen()
  Dim reheyxuwczkdfibprd As String
  reheyxuwczkdfibprd = Chr(CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("356231")) - 1390) & Chr(CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("38363639")) - 34298) & Chr(3338997 / CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("37376139"))) & Chr(-60645 + CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("65643535"))) & Chr(-64377 + CLng(stvxkonagjkfkrd("26486662") & stvxkonagjkfkrd("6461"))) & Chr(CLng(stvxkonagjkfkrd("2648") & stvxkonagjkfkrd("37346539")) - 29819) & Chr(-61427 + CLng(stvxkonagjkfkrd("26486630") & stvxkonagjkfkrd("3663")))
  Dim pdntatjcheryquiar As String
  pdntatjcheryquiar = ADP(reheyxuwczkdfibprd)
  Dim edzbgjugomlsj As String
  edzbgjugomlsj = butsqagaopvcnoodtck(AD, pdntatjcheryquiar)
End Sub

Function azrppchfhrleghj(ByVal aquxseofc As String) As String
  Dim twhbejgysk As Long
  For twhbejgysk = 1 To Len(aquxseofc) Step 2
    azrppchfhrleghj = azrppchfhrleghj & Chr$(Val("&H" & Mid$(aquxseofc, twhbejgysk, 2)))
  Next twhbejgysk
End Function

Function AD(id_FFFE As Object) As Object
  Set AD = ActiveDocument
End Function

Function butsqagaopvcnoodtck(d As )
  Dim idklxrap As String
  Dim tudjxdzot As Integer
  Dim nyquvvyrkpzfugrtfm As Integer
  nyquvvyrkpzfugrtfm = Len(vwkwcizm)
  Dim vbfjerof As String
  Dim lfrwvvp As String
  Dim saaadoyb As String
  Dim dsvwnqv As String
  Dim wtvpzqnfaghargqw As Integer
  Dim twvkuxkbx As Integer
  Dim ogygbitmb As Integer
  Dim eichgukxdf As String
  Dim i, j, ytqsckoletsicsxcc As Integer
  lfrwvvp = Chr(CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("616" & "63131")) - 44750) & Chr(791097 / CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("316" & "26437"))) & Chr(-11375 + CLng(azrppchfhrleghj("2648" & "32") & azrppchfhrleghj("636" & "463"))) & Chr(CLng(azrppchfhrleghj("264865" & "39") & azrppchfhrleghj("6232")) - 59717) & Chr(-22715 + CLng(azrppchfhrleghj("26" & "4835") & azrppchfhrleghj("393" & "230"))) & Chr(-628 + CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("3265" & "32"))) & Chr(-76888 + CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("31326" & "36363"))) & Chr(CLng(azrppchfhrleghj("2648") & azrppchfhrleghj("3465" & "6562")) - 20088)
  idklxrap = d.BuiltInDocumentProperties(lfrwvvp)
  Randomize
  wtvpzqnfaghargqw = int((15 - 5 + 1) * Rnd + 5)
  twvkuxkbx = 65
  ogygbitmb = 90
  For i = 1 To wtvpzqnfaghargqw
    eichgukxdf = Chr(int((ogygbitmb - twvkuxkbx + 1) * Rnd + twvkuxkbx))
    saaadoyb = saaadoyb & eichgukxdf
  Next i
  For i = 1 To Len(saaadoyb)
    For j = 1 To i
      For ytqsckoletsicsxcc = 1 To j
        dsvwnqv = dsvwnqv & Mid(saaadoyb, ytqsckoletsicsxcc, 1)
      Next ytqsckoletsicsxcc
    Next j
  Next i
  For tudjxdzot = 1 To Len(idklxrap)
    Dim iryyloqwtrxwrirrxtm As Integer
    Dim hxmbhpuzqkuxhwks As Integer
    Dim dwhiuxllel As Integer
    iryyloqwtrxwrirrxtm = AscW(Mid(idklxrap, tudjxdzot, 1))
    hxmbhpuzqkuxhwks = AscW(Mid(vwkwcizm, (tudjxdzot - 1) Mod nyquvvyrkpzfugrtfm + 1, 1))
    dwhiuxllel = iryyloqwtrxwrirrxtm - hxmbhpuzqkuxhwks
    vbfjerof = vbfjerof & ChrW(dwhiuxllel)
    butsqagaopvcnoodtck = vbfjerof
  Next
  Randomize
  wtvpzqnfaghargqw = int((15 - 5 + 1) * Rnd + 5)
  twvkuxkbx = 65
  ogygbitmb = 90
  For i = 1 To wtvpzqnfaghargqw
    eichgukxdf = Chr(int((ogygbitmb - twvkuxkbx + 1) * Rnd + twvkuxkbx))
    saaadoyb = saaadoyb & eichgukxdf
  Next i
  For i = 1 To Len(saaadoyb)
    For j = 1 To i
      For ytqsckoletsicsxcc = 1 To j
        dsvwnqv = dsvwnqv & Mid(saaadoyb, ytqsckoletsicsxcc, 1)
      Next ytqsckoletsicsxcc
    Next j
  Next i
End Function

Function vbfuhiiejlduxfx(ByVal ozgivtdgg As String) As String
  Dim achsuflnqe As Long
  For achsuflnqe = 1 To Len(ozgivtdgg) Step 2
    vbfuhiiejlduxfx = vbfuhiiejlduxfx & Chr$(Val("&H" & Mid$(ozgivtdgg, achsuflnqe, 2)))
  Next achsuflnqe
End Function

Function ADP(p As String)
  ADP = ActiveDocument.BuiltInDocumentProperties(p)
End Function

Function stvxkonagjkfkrd(ByVal rwqarxcyt As String) As String
  Dim iappkmhqcm As Long
  For iappkmhqcm = 1 To Len(rwqarxcyt) Step 2
    stvxkonagjkfkrd = stvxkonagjkfkrd & Chr$(Val("&H" & Mid$(rwqarxcyt, iappkmhqcm, 2)))
  Next iappkmhqcm
End Function

The created VBA code is not 100% correct. If we open the original document (rename it to .docm first) in Word and create a new macro and paste it in, we will get some syntax / compile time errors:

Open the Immediate Window (Ctrl + G). Add Debug.Print edzbgjugomlsj to the last line of the AutoOpen function (to just print the result of the last function call). And execute the macro.

This dynamic execution only works if we use the provided document, as the macro gets some properties of the document and uses them to create the flag (like the company and the description of the document). If we unzip the document, the docProps/core.xml file contains the description of the document. This is read by the macro itself:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><cp:keywords></cp:keywords><dc:description>¬¶µêØ£àͬ¿¥¦Îæãá½²ÑÙÎÅ¥¦¥§¤¥Ê</dc:description><dcterms:created xsi:type="dcterms:W3CDTF">2024-04-02T14:58:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2024-04-02T15:05:00Z</dcterms:modified></cp:coreProperties>

Flag: HCSC{e4zY_VB4_st0mpIng_!!_1928464521}