forensicsfreemedium

oBfsC4t10n2

hackthebox

Task: analyze a malicious .xls file with obfuscated Excel 4.0 (XLM) macros on a very hidden sheet. Solution: use olevba and XLMMacroDeobfuscator to trace execution flow, then extract scattered flag characters from cells referenced by CONCATENATE formulas using xlrd2, combining three parts from the ShellExecuteA payload argument.

$ ls tags/ techniques/

obfuscation malware_analysis phishing excel_4.0_macros xlm_macros ole_document sandbox_evasion anti_analysis macro_deobfuscation

xlm_macro_emulationolevba_analysisxlm_deobfuscationcell_value_extractionscattered_data_reconstructionvery_hidden_sheet_detection

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

oBfsC4t10n2 — HackTheBox

Description

The challenge provides a password-protected ZIP (hackthebox) containing oBfsC4t10n2.xls — a Composite Document File V2 (OLE format Excel file). The document uses Excel 4.0 (XLM) macros — a legacy macro format predating VBA — with heavy obfuscation and anti-analysis techniques. Author metadata shows 0xdf.

Analysis

Step 1: Initial Recon

file oBfsC4t10n2.xls
# Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0,
# Code page: 1252, Author: 0xdf

The file is an OLE-format Excel workbook (.xls), not the modern OOXML format (.xlsx/.xlsm). This is significant because Excel 4.0 macros can only exist in the old binary format.

Step 2: Identify Excel 4.0 (XLM) Macros

Using olevba to scan for macros:

olevba oBfsC4t10n2.xls

Key findings from olevba output:

No VBA macros — this is NOT a VBA document
BOUNDSHEET: Excel 4.0 macro sheet, very hidden - c1zB0vasN — a macro sheet hidden at the deepest level (not visible even via right-click "Unhide")
BOUNDSHEET: worksheet or dialog sheet, visible - invoic — the visible decoy sheet
Auto_Open defined name pointing to invoic!N545 — execution entry point
Named ranges: agawf23f, KsshpqC4Mo, Lsl23Us7a, rstegerg3 — all pointing to various cells in the hidden sheet

Step 3: XLM Macro Deobfuscation

Installed and ran XLMMacroDeobfuscator to emulate the XLM macros:

pip3 install xlmmacrodeobfuscator
xlmdeobfuscator --file oBfsC4t10n2.xls

The deobfuscated execution flow reveals a sophisticated multi-stage payload:

...

$ grep --similar

Similar writeups

[forensics][Pro]oBfsC4t10n— HackTheBox
[forensics][free]Diagnostic— hackthebox
[forensics][free]emo— hackthebox
[pwn][free]0xDiablos— hackthebox
[misc][Pro]Who4reu— TaipanByte