We are given a rather interesting document with macros for this challenges. The document is addressed to David Bowie, requests feedback on an upcoming movie title, and includes a ‘standard’ movie contract.

Figure 1 Fake David Bowies Feedback and Contract Document with Macros

The first step we took was to run the document through one of our favorite tools by decalge, olevba. It looks like the author tried to obfuscate the code a little and make it ugly.

Figure 2 Olevba output

We can clean the output up in a text editor to make it a little easier to understand. We rename functions and compute constants to get the output below. We can see that there is a message box asking about the movie title that is later used in a registry key. After that a long string is concatenated together and written to C:\Users\DAVIDB~1\AppData\Local\Temp\rise.txt. Finally, another long string is concatenated together, decoded and injected as shellcode.

Figure 3 Deobfuscated Macro

Now that we understand a little more about what is going on we can try to figure out what is happening on the next step. We can launch word and then attach windbg to it. Next we set breakpoints on the APIs that are called at the end of the script. Then we find the correct section with read write execute permissions and we dump that to a file. We can set a breakpoint at the start of the shellcode and debug it from there. The shellcode is decoding part of it so we can just continue the programs execution, break when it terminates, and then dump the decoded shellcode.

Figure 4 Windbg Dumping Shellcode

The decoded powershell has an encoded powershell command that is executed. We can decode the encoded powershell command using powershell. The decoded powershell has a check for the computername matching BOWIEPC in order to properly decode the darkcrystal powershell scripti and ziggy vbs script.

Figure 6 Decoded Powershell Script

We can change the computer name or take out the check and execute the powershell commands to properly decode the next scripts.

Figure 7 Running the Powershell commands without the check

The next step is to execute darkcrystal.ps1. We can clean up the script using Visual Studio Code to make it easier to read. We can see that the computers domain name is queried using WMI on the second line and storied in the $bowielyric variable.

Figure 8 Cleaned up beginning of darkcrystal.ps1

We can then use the Powershell ISE debugger to figure out that we need the second letter of the domain to be a “T”, the fourth letter “R”, and the sixth letter “U”. We can brute force these four values using the characters [A-Z0-9]. This sets up $z to equal 8, $i to equal 4, $g to equal 2, and $y to equal 1. This way the $bowiesong string is built correctly from $s after it is passed to the jareth function that converts it to a string, which then is used to create the $bowiealbum string. The $bowieablum string is executed and it creates an EnvironmentVariable and clears the Powershell event log.

Figure 9 Powershell ISE Debugger showing correct setup yielding the correct output

The next step is the ziggy.vbs visual basic script. We can use Visual Studio Code to clean it up and the Microsoft Script Debugger to debug it. The first part checks the Software Registry to see certain entries are in there and will set the wrong offset into the original document if they are found. The original document also needs to be on the Y drive root.

The next part the date needs to be within 30 seconds of when the “HKEY_CURRENT_USER\Volatile Environment\MOVDATA” key was set, so that the registry key is not passed in reverse to the next function. We needed to select to not name the movie Mars Spider in the macro and the date needed to be 3/24/2017.

After we pass these checks the correct offset in Y:\MarsSpider_Contract.doc is read and decoded into a hidden batch file Y:\594f54.bat. The batch script is then executed with itself as the argument.

Figure 10 Cleaned up visual basic script

The batch script checks if it is running on the Y drive, the username, the batch script as an argument, and the file size and filename of the batch script. We can clean the code up to remove the checks and then also see that we need the correct HWID set from the earlier Powershell script. We can then execute the script to print the final key.

Figure 11 Cleaned up batch script to print final key

Figure 12 Final key output