Post

Mr.Phisher

Mr.Phisher

Mr.Phisher

πŸ“₯ Getting the Files

πŸ•΅οΈ First, I downloaded the challenge files through a local Python HTTP server: Pasted image 20260624132038.png

Pasted image 20260624132832.png

πŸ’‘ Opening the files, something looked suspicious. I also checked the strings β€” this was my first time dealing with this kind of challenge, so I did some research on extracting data from .docm files. The archive seemed to contain the same file, so I focused on one.

πŸ” Analysing the Macro

I confirmed both files were identical by comparing their hashes: Pasted image 20260624133051.png

I found a tool called olevba for analysing Office macros:

1
pip install oletools

Pasted image 20260624133847.png

⚑ It extracted an obfuscated decimal array along with the decryption logic. After some research, I identified the language as VBA (Visual Basic for Applications).

🏁 Decrypting the Flag

I recreated the decryption logic in Python:

1
2
3
4
5
6
7
# The obfuscated decimal array from the macro
a = []

# Decode using list comprehension
flag = "".join(chr(val ^ i) for i, val in enumerate(a))

print(flag)

Running the script gives us the flag: Pasted image 20260624134337.png

🏁 Flag captured!

This post is licensed under CC BY 4.0 by the author.