Flare-On Challenge 7 - 04 - Report

tags: ctf challenge write-up binary reverse engineer Malware Analysis
by Firpo7

Nobody likes analyzing infected documents, but it pays the bills. Reverse this macro thrill-ride to discover how to get it to show you the key.

For challenge provides only an Excel document is provided. Also from the description is clear it has to do with macros.

Infected Document

Dumping the macros from the document will lead you to find only an mp3. This mp3 is not useless though, as it has a hint inside it. In fact, the metadata author of the mp3 audio is P. Code, suggesting you to try to take a look at the p-code of the document.

Analyzing the p-code turns out that it does a different thing than the VBA source code, what’s happened is called VBA stomping.

The author of the challenge has modified the VBA source code leaving the compiled version in the document, known as p-code, unchanged.

To retrieve back the source code can be used pcode2code.exe as follows:

pcode2code.exe  .\report.xls > output.txt

Analyzing the resulting code will lead to finding an image containing the flag: Result Image