In this challenge we were provided with an Excel spreadsheet (vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls). Analyzing the document using olevba (https://github.com/decalage2/oletools/wiki/olevba) quickly revealed that it contains obfuscated VBA macro code that is executed when the document is opened.

Challenge Description

Our Solution

➜  Downloads olevba vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls
olevba 0.52.3 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MAS-H--- vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls
===============================================================================
FILE: vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Auto_Open()
    a ("Sheet1")
End Sub
Sub Workbook_Open()
    a ("Sheet1")
End Sub
Private Function a(ByVal aaaaaaaa As String) As String

    Dim aa As Integer
    Dim aaaa As String
    Dim aaaaaa As Worksheet
    Dim aaaaaaa() As String

    On Error GoTo e
    Set aaaaaa = Worksheets(aaaaaaaa)
    aa = 874104 / 220128
    aaa = 1
    strHex = ""
    Do While aaaaaa.Columns(aaa).Cells(aa, Int(221892 / 139112)).Value <> ""
        Do While aaaaaa.Columns(aaa).Cells(aa, Int(291792 / 189112)).Value <> ""
            aaaa = aaaa + Chr(aaaaaa.Columns(aaa).Cells(aa, 1).Value Xor ((37 Xor 12) + 1))
            aaa = aaa + Int(218526 / 213912)
        Loop
        aa = aa + Int(18526 / 13912)
        aaa = Int(199526 / 139112)
    Loop
    aaaaaaa = Split(aaaa, Chr(54 Xor 12))
    Set aaaaa = CreateObject(aaaaaaa(0))
    aaaaa.RegWrite aaaaaaa(1), aaaaaaa(2), "REG_SZ"
    Exit Function
e:
    Exit Function
End Function
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+------------+---------------+-----------------------------------------+
| Type       | Keyword       | Description                             |
+------------+---------------+-----------------------------------------+
| AutoExec   | Auto_Open     | Runs when the Excel Workbook is opened  |
| AutoExec   | Workbook_Open | Runs when the Excel Workbook is opened  |
| Suspicious | Chr           | May attempt to obfuscate specific       |
|            |               | strings (use option --deobf to          |
|            |               | deobfuscate)                            |
| Suspicious | Xor           | May attempt to obfuscate specific       |
|            |               | strings (use option --deobf to          |
|            |               | deobfuscate)                            |
| Suspicious | CreateObject  | May create an OLE object                |
| Suspicious | Hex Strings   | Hex-encoded strings were detected, may  |
|            |               | be used to obfuscate strings (option    |
|            |               | --decode to see all)                    |
+------------+---------------+-----------------------------------------+

We decided that the easiest approach would be to run parts of the code in a controlled environment. We therefore opened the Excel document in a protected view with execution of macro code disabled and copied the spreadsheet content to a new file.

After sanitizing the macro code we could set appropriate breakpoints and execute the code revealing the flag,  INS{Do_n0t_Ena8le_M4cro}