I began by unzipping pkg.zip and opening one of the files at random. I picked lab_7_file.doc. Upon opening the file with MS Word, I noticed the document included macros. I opened the developer view within Word hoping to statically analyze the included macros. Unfortunately, I found rather obfuscated source code (pictured below) which would make static analysis a pain.

Instead of attempting to deobfuscate the code I simply ran the macro with a few system monitoring tools running hoping to catch it do something. After enabling macros, I saw a cmd prompt print what looked like the same thing over and over. The cmd prompt then closed. I opened another file at random. lab_160_file.doc. It seemed to have the same content within the document and I again went to investigate the macros included. Again, I discovered obfuscated source code (pictured below).

I then compared the first document’s macro code to the second document’s. Both sets of source code seemed similarly shaped. Although things like variable and function names changed between the two, the overall logic and lines of the two sources seemed almost identical. I started to think these files were created with a some sort of script or automated tool which makes sense given the number of files included in the challenge zip. I then ran the file and saw the same cmd prompt behavior. It seemed like the cmd prompt have ASCII art of the apt-moo cow saying “nothing here friend”. It began to seem like an automated process obscured and inserted the macro code into these documents. I then turned to a modified version of oledump and extracted the macros from each document as text. Using the following bash loop I then counted how many lines of code each document contained.

for EACH in `ls pkg/`; do LINES=`python oledump_modified.py -m pkg/${EACH} | wc -l`; echo ${LINES} ${EACH}; done | sort -k1 -nr

73 lab_1003_file.doc
73 lab_1002_file.doc
73 lab_1001_file.doc
73 lab_1000_file.doc
61 lab_87_file.doc
61 lab_423_file.doc
61 lab_1307_file.doc
60 lab_911_file.doc
60 lab_777_file.doc
60 lab_333_file.doc
60 lab_321_file.doc
59 lab_899_file.doc
59 lab_70_file.doc
59 lab_505_file.doc
59 lab_482_file.doc
59 lab_317_file.doc
59 lab_262_file.doc
59 lab_1249_file.doc
59 lab_123_file.doc
59 lab_1122_file.doc
58 lab_637_file.doc

Since the automated tool wasn’t adding unnecasary (junk) code to the macros, the macro which print the apt-moo cow all have 73 lines. This process identified which 17 files out of the 1300 we are interested in. I then opened lab_87_file.doc and looked at it’s macros’ source code. It was still obfuscated in a similar way as the first two I opened but it was smaller and different (picture below).

I enabled the macros and ran them. I again saw a cmd prompt but what was printed over and over was different. It looked like a couple characters of ASCII and the letters gsrt. I decided to dig into the macro code of this file and try to determine what it was doing in hopes that I could determine what was being printed in the cmd prompts. I was also hoping the obfuscation script used to build these macros did so in a consistent way across files. Within the code, two functions exist. One which is references a few times which takes a Variant and an Int as arguments and the other function which takes no arguments, concatenates some arrays (which look like they could represent strings), and calls Object.Run. The former being some sort of decoding function.

Setting breakpoints and disabling the code which runs when the document opens allowed me to determine what is being decoded in each macro (pictured below).

It seems to be powershell commands. I eventually rewrote the decoding function from Visual Basic into Python. This made getting to the powershell each macro executes as simple as copying and pasting a few VB arrays into Python lists. Once you have each powershell script, ordering them and reading what they print is pretty straight forward. Below is an example of one of the powershell scripts decoded:

Public Function [rdm::15]gowaldo()
    [rdm::8]psA = "powershell -win normal -ep bypass -enc "
    [rdm::8]psF = psA + psB + psC + psD
    [rdm::8]pos = "SEVENTEEN"
    Dim Obj As Object
    Set Obj = CreateObject("WScript.Shell")
    Obj.Run psF, 1
End Function