Forum Discussion
Incident Response: P2 - stuck on Q11
I successfully completed the previous question, but I’m currently encountering difficulties with Question 11: “What are the last 6 characters of the MD5 checksum of the malware executable?” I’ve identified and extracted the malware executable and the associated IOCs; however, none of the MD5 hashes I’ve generated appear to match the expected result.
Upon reviewing the instructions, I revisited the step: “Using a Python script or a manual deobfuscation method, get the binary from the VBA script.” I suspect this is where my process may be breaking down — specifically in extracting the correct binary from the VBA script.
Could one of the instructors kindly provide guidance or clarification on where I might be going wrong?
2 Replies
- CalumS
Bronze III
Hi kh_mikey
I just tried this lab myself to see if I could help, and here’s what I found.
First, make sure you extract the full VBA macro code correctly using the command
olevba --decode salary_ranges.docm > full_macro.txt
This will give you the actual VBA script with all the Dump File subroutines containing the malware binary data as decimal byte strings.
Next, the key step is to extract all those decimal byte sequences from every Write Bytes call across all Dump File subs in order, then convert them into a binary file. You can’t just copy hex or partial data, you need to collect and combine all the byte values exactly as they appear.
To do this reliably, use a simple Python script that scans your extracted macro, grabs all the decimal bytes, and writes them out as the final executable. Once you have that, calculate the MD5 hash of this exact file (using tools like md5sum) and then take the last 6 characters of that hash for your answer.
Can get a copy of the python i used if needed.
- kh_mikey
Bronze I
Thank you for your guidance. Unfortunately, I haven’t made any progress yet. My extraction (full_macro.txt) from the source file (salary_ranges.docm) does not yield a valid result for the md5sum.
The provided hint—“You must convert the decimal values in the VBA script used to answer the previous question to ASCII characters. This is easiest to do using a script.”—and the brief lack sufficient detail to clarify the expected approach. Since the .txt file isn’t an OLE object, I pivoted to analyzing the contents after unzipping the source. I identified suspicious behavior in vbaProject.bin using several tools (plugin_http_heuristics.py, vba.yara, and oledump.py).
Despite external research, I haven’t found a clear methodology for converting the decimal values to ASCII as described. Any additional direction or clarification would be greatly appreciated.