emo — HackTheBox

Description

WearRansom ransomware was released in our company. The SOC has traced the initial access to a phishing attack, a Word document with macros. Take a look at the document and see if you can find anything else about the malware and perhaps a flag.

Analysis

Step 1: Word Document Extraction

Word documents with macros (.docm) are actually ZIP archives. We can extract them using standard ZIP tools or directly examine the contents:

# Extract as ZIP
unzip -q emo.docm -d emo_extracted
ls emo_extracted/

Step 2: VBA Macro Extraction

Using oletools to extract and analyze VBA macros:

# Extract VBA macros
oledump.py emo.docm
olevba emo.docm

Key findings:

• Document_open() entry point in macros (executes when document opens)
• Obfuscated PowerShell code embedded in the VBA

Step 3: PowerShell Payload Decoding

The VBA contains a Base64-encoded PowerShell payload. Extract and decode it:

import base64

# The encoded payload from VBA macro
encoded = "..."  # Base64 string from macro
decoded = base64.b64decode(encoded)

# Remove non-ASCII characters
import re
clean = re.sub(rb'[^\x00-\x7F]+', b'', decoded)

Step 4: Flag Extraction

The deobfuscated PowerShell contains:

• An array of integers representing XORed flag bytes
• XOR key: 0xdf (found as [byte][char]${_} -bxor 0xdf)

# Integers from the decoded payload
data = [186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228,185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139,183,154,173,128,175,151,238,140,183,162,228,170,173,179,229]

# XOR with key 0xdf
xor_key = 0xdf
flag = ''.join(chr(b ^ xor_key) for b in data)
print(flag)

Solution

#!/usr/bin/env python3
"""
emo - HackTheBox Forensic Challenge Solution
WearRansom ransomware analysis - extracting flag from obfuscated PowerShell
"""

# Integers extracted from the deobfuscated PowerShell payload
data = [186,141,228,182,177,171,229,236,239,239,239,228,181,182,171,229,234,239,239,228,185,179,190,184,229,151,139,157,164,235,177,239,171,183,236,141,128,187,235,134,128,158,177,176,139,183,154,173,128,175,151,238,140,183,162,228,170,173,179,229]

# XOR key found in PowerShell: [byte][char]${_} -bxor 0xdf
xor_key = 0xdf

# Decode
flag = ''.join(chr(b ^ xor_key) for b in data)
print(f"Flag: {flag}")

Key Findings

• Malware Type: WearRansom ransomware
• Initial Access: Phishing email with malicious Word document (.docm)
• Attack Vector: VBA macros with embedded obfuscated PowerShell
• Obfuscation Techniques:
  • Base64 encoding of PowerShell payload
  • Non-ASCII character filtering
  • XOR encryption with key 0xdf

Key Indicators

This technique is useful when:

• Analyzing phishing documents with macros
• Examining .docm files for hidden payloads
• Dealing with VBA macros that execute on document open
• Finding Base64-encoded PowerShell in macro code
• Identifying integer arrays that represent encrypted data
• Looking for XOR operations in deobfuscated scripts

Tools Used

• oletools: Suite of tools for analyzing OLE and Microsoft Office files
  • oledump.py: Dump OLE streams (extract macros)
  • olevba: Extract and analyze VBA macros
• Python3: For decoding and XOR operations
• CyberChef: For debugging and quick transformations

References

• 0xv1n writeup: https://0xv1n.github.io/posts/emo/
• Hackplayers PDF writeup