emo

hackthebox

Task: Extract a flag from a malicious Word document used in a ransomware phishing attack. Solution: Extract VBA macros from the .docm file, decode the Base64-encoded PowerShell payload, find an integer array representing XOR-encrypted data, and decrypt with key 0xdf to reveal the flag.

word_document xor_decryption malware_analysis powershell phishing ransomware vba_macros base64_decoding wear_ransomware

base64_decodingxor_bruteforcedocm_as_zip_extractionvba_macro_extractionpowershell_deobfuscation

$ ls tags/ techniques/

word_document xor_decryption malware_analysis powershell phishing ransomware vba_macros base64_decoding wear_ransomware

base64_decodingxor_bruteforcedocm_as_zip_extractionvba_macro_extractionpowershell_deobfuscation

emo — HackTheBox

Description

WearRansom ransomware was released in our company. The SOC has traced the initial access to a phishing attack, a Word document with macros. Take a look at the document and see if you can find anything else about the malware and perhaps a flag.

Analysis

Step 1: Word Document Extraction

Word documents with macros (.docm) are actually ZIP archives. We can extract them using standard ZIP tools or directly examine the contents:

# Extract as ZIP
unzip -q emo.docm -d emo_extracted
ls emo_extracted/

Step 2: VBA Macro Extraction

Using oletools to extract and analyze VBA macros:

# Extract VBA macros
oledump.py emo.docm
olevba emo.docm

Key findings:

Document_open() entry point in macros (executes when document opens)
Obfuscated PowerShell code embedded in the VBA

Step 3: PowerShell Payload Decoding

The VBA contains a Base64-encoded PowerShell payload. Extract and decode it:

import base64

# The encoded payload from VBA macro
encoded = "..."  # Base64 string from macro
decoded = base64.b64decode(encoded)

# Remove non-ASCII characters
import re
clean = re.sub(rb'[^\x00-\x7F]+', b'', decoded)

Step 4: Flag Extraction

The deobfuscated PowerShell contains:

An array of integers representing XORed flag bytes
XOR key: 0xdf (found as [byte][char]${_} -bxor 0xdf)

# Integers from the decoded payload
data = [186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228,185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139,183,154,173,128,175,151,238,140,183,162,228,170,173,179,229]

# XOR with key 0xdf
xor_key = 0xdf
flag = ''.join(chr(b ^ xor_key) for b in data)
print(flag)

Solution

#!/usr/bin/env python3
"""
emo - HackTheBox Forensic Challenge Solution
WearRansom ransomware analysis - extracting flag from obfuscated PowerShell
"""

# Integers extracted from the deobfuscated PowerShell payload
data = [186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228,185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139,183,154,173,128,175,151,238,140,183,162,228,170,173,179,229]

# XOR key found in PowerShell: [byte][char]${_} -bxor 0xdf
xor_key = 0xdf

# Decode
flag = ''.join(chr(b ^ xor_key) for b in data)
print(f"Flag: {flag}")

Key Findings

Malware Type: WearRansom ransomware
Initial Access: Phishing email with malicious Word document (.docm)
Attack Vector: VBA macros with embedded obfuscated PowerShell
Obfuscation Techniques:
- Base64 encoding of PowerShell payload
- Non-ASCII character filtering
- XOR encryption with key 0xdf

Key Indicators

This technique is useful when:

Analyzing phishing documents with macros
Examining .docm files for hidden payloads
Dealing with VBA macros that execute on document open
Finding Base64-encoded PowerShell in macro code
Identifying integer arrays that represent encrypted data
Looking for XOR operations in deobfuscated scripts

Tools Used

oletools: Suite of tools for analyzing OLE and Microsoft Office files
- oledump.py: Dump OLE streams (extract macros)
- olevba: Extract and analyze VBA macros
Python3: For decoding and XOR operations
CyberChef: For debugging and quick transformations

References

0xv1n writeup: https://0xv1n.github.io/posts/emo/
Hackplayers PDF writeup