When we open the document, using MS Office 2010 we are greeted with this prompt.
After clicking on the “Enable Macros” button we are greeted with the following screen. In the center of the screen is an icon that consisted of an embedded object.
After double clicking on the icon another doc appeared which suggested to enable macro.
To investigate further, we used Alt+F11 to enter the Visual Basic Editor. We are greeted with what looks like an obfuscated macro.
The next step was to debug the macro to figure out what it does. However, when we click on the “Run” button we are greeted the following prompt. We could not debug the macro dynamically.
Let us investigate the macro statically.
The macro is mainly make up of 2 functions jlETByoSKP and dLMNiMbhMkYVvgR.
jlETByoSKP was referenced by dLMNiMbhMkYVvgR. But dLMNiMbhMkYVvgR was not referenced anywhere in the code.
Now we add in code to reference dLMNiMbhMkYVvgR.
After doing that we could now step into the code.
We could now mouse over various variables to check its value while we debug the macro.
As we mouse over the variables we notice a value which looks like the flag.
To display the flag completely we could now add code to display the value of the flag
Stepping the code we could display the complete flag in a message box.