Hero Image
XLM Macros (Document Analysis)

https://cyberdefenders.org/labs/55 Contents Description Helpful Tools Questions 1: Sample1: What is the document decryption password? 2. There is no question 2 . . . 3: Sample1: This document contains six hidden sheets. What are their names? Provide the value of the one starting with S. 4: Sample1: What URL is the malware using to download the next stage? 5: Sample1: What malware family was this document attempting to drop? 6: Sample2: This document has a very hidden sheet. What is the name of this sheet? 7: Sample2: This document uses reg.exe. What registry key is it checking? 8: Sample2: From the use of reg.exe, what value of the assessed key indicates a sandbox environment? 9: Sample2: This document performs several additional anti-analysis checks. What Excel 4 macro function does it use? 10: Sample2: This document checks for the name of the environment in which Excel is running. What value is it using to compare? 11: Sample2: What type of payload is downloaded? 12: Sample2: What URL does the malware download the payload from? 13: Sample2: What is the filename that the payload is saved as? 14: Sample2: How is the payload executed? For example, mshta.exe 15: Sample2: What was the malware family? Comments? Description Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you’ll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.