[CTF GEMA] obf-2

Niveau de Difficulté : Medium

Catégorie du Challenge : Malware

Description :

Your coworker opened a sketchy Excel file (malware.xls) and now their computer is acting weird. Investigate the file, figure out what it’s hiding, and decode its sneaky payload to find the flag before it spreads!
Warning: DO NOT OPEN ON YOUR HOST—USE A VM OR RISK YOUR COMPUTER TURNING INTO A ZOMBIE!

Steps to Solve

The fasted way to analyse is via VirusTotal :

This is ZIP malware , let convert the file to zip and see what's inside :

Looking through files , we found a workbook file :

That look like a PowerShell script but we first must decode it :

“| . ( $pShome[21]+$pShoMe[34]+'X')” ; that create an error

In fact, there are multi layer of obfuscation.
We can save the output in 1.ps1 , then edit it (add Write-Host ) :

We''ll save output to 2.ps1 and remove the iex and write (Write-Host) then run the code :

Flag

FLAG{1b5b7c90bb48efb02e81921598e7a447}