forensicsfreemedium

oBfsC4t10n2

hackthebox

Task: analyze a malicious .xls file with obfuscated Excel 4.0 (XLM) macros on a very hidden sheet. Solution: use olevba and XLMMacroDeobfuscator to trace execution flow, then extract scattered flag characters from cells referenced by CONCATENATE formulas using xlrd2, combining three parts from the ShellExecuteA payload argument.

$ ls tags/ techniques/
xlm_macro_emulationolevba_analysisxlm_deobfuscationcell_value_extractionscattered_data_reconstructionvery_hidden_sheet_detection

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

oBfsC4t10n2 — HackTheBox

Description

The challenge provides a password-protected ZIP (hackthebox) containing oBfsC4t10n2.xls — a Composite Document File V2 (OLE format Excel file). The document uses Excel 4.0 (XLM) macros — a legacy macro format predating VBA — with heavy obfuscation and anti-analysis techniques. Author metadata shows 0xdf.

Analysis

Step 1: Initial Recon

file oBfsC4t10n2.xls # Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, # Code page: 1252, Author: 0xdf

The file is an OLE-format Excel workbook (.xls), not the modern OOXML format (.xlsx/.xlsm). This is significant because Excel 4.0 macros can only exist in the old binary format.

Step 2: Identify Excel 4.0 (XLM) Macros

Using olevba to scan for macros:

olevba oBfsC4t10n2.xls

Key findings from olevba output:

  • No VBA macros — this is NOT a VBA document
  • BOUNDSHEET: Excel 4.0 macro sheet, very hidden - c1zB0vasN — a macro sheet hidden at the deepest level (not visible even via right-click "Unhide")
  • BOUNDSHEET: worksheet or dialog sheet, visible - invoic — the visible decoy sheet
  • Auto_Open defined name pointing to invoic!N545 — execution entry point
  • Named ranges: agawf23f, KsshpqC4Mo, Lsl23Us7a, rstegerg3 — all pointing to various cells in the hidden sheet

Step 3: XLM Macro Deobfuscation

Installed and ran XLMMacroDeobfuscator to emulate the XLM macros:

pip3 install xlmmacrodeobfuscator xlmdeobfuscator --file oBfsC4t10n2.xls

The deobfuscated execution flow reveals a sophisticated multi-stage payload:

...

$ grep --similar

Similar writeups