Forum Discussion

Bronze I

3 months ago

Incident Response: P2 - stuck on Q11

I successfully completed the previous question, but I’m currently encountering difficulties with Question 11: “What are the last 6 characters of the MD5 checksum of the malware executable?” I’ve iden...

questions & feedback

kh_mikey

Bronze I

3 months ago

Thank you for your guidance. Unfortunately, I haven’t made any progress yet. My extraction (full_macro.txt) from the source file (salary_ranges.docm) does not yield a valid result for the md5sum.

The provided hint—“You must convert the decimal values in the VBA script used to answer the previous question to ASCII characters. This is easiest to do using a script.”—and the brief lack sufficient detail to clarify the expected approach. Since the .txt file isn’t an OLE object, I pivoted to analyzing the contents after unzipping the source. I identified suspicious behavior in vbaProject.bin using several tools (plugin_http_heuristics.py, vba.yara, and oledump.py).

Despite external research, I haven’t found a clear methodology for converting the decimal values to ASCII as described. Any additional direction or clarification would be greatly appreciated.

SamDickison

Community Manager

7 days ago

Hey kh_mikey did you managed to get further with this? I can get more help if you need.

Forum Discussion

Incident Response: P2 - stuck on Q11

Featured Places

Help & Support Forum

Related Content

Incident Response: Suspicious Email – Part 3

Incident Response: Suspicious Email – Part 2 -Help Needed.

Incident Response and Forensics for EC2: Preparation

Incident Response: Suspicious Email – Part 2

PowerShell Deobfuscation: Ep.8 - Stuck Halfway

Recent Discussions

World Cup Special - Immersive Squad

CVE-2022-26134 (Confluence) – OGNL Injection

Terrapoint (Hats off, Immersive Labs)

Packet Analysis: Demonstrate your skills

ICS Malware: Triton ModuleNotFoundError: No module named 'pefile