Mr.Phisher
Mr.Phisher
Mr.Phisher
π₯ Getting the Files
π΅οΈ First, I downloaded the challenge files through a local Python HTTP server: 
π‘ Opening the files, something looked suspicious. I also checked the strings β this was my first time dealing with this kind of challenge, so I did some research on extracting data from .docm files. The archive seemed to contain the same file, so I focused on one.
π Analysing the Macro
I confirmed both files were identical by comparing their hashes: 
I found a tool called olevba for analysing Office macros:
1
pip install oletools
β‘ It extracted an obfuscated decimal array along with the decryption logic. After some research, I identified the language as VBA (Visual Basic for Applications).
π Decrypting the Flag
I recreated the decryption logic in Python:
1
2
3
4
5
6
7
# The obfuscated decimal array from the macro
a = []
# Decode using list comprehension
flag = "".join(chr(val ^ i) for i, val in enumerate(a))
print(flag)
Running the script gives us the flag: 
π Flag captured!
This post is licensed under CC BY 4.0 by the author.

