The sample used here is from the video from Karsten Hahn @struppigel .
If you have not seen any of them before I would highly recommend checking them out.
The video can be found here https://youtu.be/SCJVW1E8dFA
The Sample can Be found here at Hybird-Analysis if you want to follow along.
In the Video he shows a base 64 string that he extracts from the document using a Hex Editor like this.
After watching the video and locating the file I wanted to take a deeper look at it seeing how my methods would work at decoding this file.
I recently decided to try and use “Apache OpenOffice” to do the macro extraction from the documents and it has worked.
When We first open the document we see this.
At least the default is to pop up a warning. After clicking “OK” we see.
That is actually a picture on the document not a popup window.
When we locate the macro we see this.
Closer look in Notepad++
That is kind of difficult to sort thru so lets clear out everything that does not appear to do anything. We end up with this.
That sure did cut a lot of junk out of the way.
So it looks like it is getting the value of the documents comments property.
As you can see here the comments section is where the Base64 string gets extracted from.
And the full Base64 string.
Most of the “Red Team Tools” use UTF-16 encoding. So we will try Base64 decoding using UTF-16 Encoding.
After decoding I get this.
A closer look.
So what is this thing doing ? If we get a closer look at the end we se this.
Normally what I see is hex separated some type of fill in delimiter/ fill-in chars that gets removed.
Here we have Decimal char codes using several different split chars to turn the Char codes into normal characters . This is the first time I’ve seen this done so another new tool to quickly overcome this type of encoding.
All this new tool does is a string replacement for the various split chars used and replaces them all with just one, in this case is a comma. Once you have a common split character then you can splint on that char and loop thru and decode the the char code and return the string output.
We could have done a string replace 1 char at a time and ended up with something like this.
After that we still have to decode the Decimal Char Codes.
Here is a closer look at the formatted script that was decoded.
This script will reach out to the sites to download the file and save it with a random name.
I was not able to download the file directly today after extracting the URL’s.
So we know it was a downloader but we don’t know what it would have downloaded if it had succeeded.
This had peeked my interest because of the multiple split chars used in between char codes and the fact that they did not use the Macro to store the base 64 string but the Documents Comment section to hide it.
That’s it for this one I hope you learned something as well as I did.