Forum Discussion

jjdeno99's avatar
jjdeno99
Icon for Bronze I rankBronze I
24 days ago

Incident Response: Suspicious Email – Part 2 -Help Needed.

Hi,

I'm currently trying to complete this lab but I'm stuck on step 10. I have tried to use the different tools at hand but I'm struggling to extract the VBA and getting the binaries for it. Any help would be much appreciated.

Kind Regards,

jjdeno99

3 Replies

    • autom8on's avatar
      autom8on
      Icon for Silver I rankSilver I

      I think the numbers may have changed since they changed the GUI here (I first did the lab last year) - I think it used to be Q7. Anyway, my notes aren't the most amazing, but I did find the following screenshot, which I think is how I answered it... thanks to the joy of old person memory, I have little recollection of writing it or how it functions. 🤣

      Hope that's of some help... 

  • Hi there I managed to solve that Step by manually getting all the "DataDump" Decimalnumbers into one separate file then proceeding to change the Decimals to ASCII. With that you'll get a new file with partially readable Text.
    I created a Pythonscript to change the Decimals to ASCII but I suspect oletools has the capability for this aswell, however I'm unfamiliar with them so I just scripted something. Maybe there is further oletools Labs which could provide the necessary background info.
    Before this I used olevba to extract the Information of the Binary file.