Task 12, Day 07, CyberChef Maldocs roasting on an open fire

Had to skip yesterday’s challenge and post, so they’re doubled today. I kept a simple question in the wings to keep the streak alive though. Glad for this one because I’m always looking for a fun reason to use CyberChef.

New acronym, C2 - Command and Control Infrastructure. Really digging the new(ish) wiki-type links in the tasks.

Using CyberChef for mal doc analysis

  • Extract strings - step 1 after loading, look for embedded domains. Set to all printable characters and tweak minimum size of string until information to focus on is shown.

  • Find/Replace - Use to remove extra repeated characters used for obfuscation. Reveals, among other things, base64 coding.

  • Drop Bytes - start at 0 and increase length until left with only base64.

  • From Base64 - decode from standard powershell UTF-16LE (1200)

  • Find/Replace - remove repeated characters again

  • Find/Replace - replace simple string of obfuscated addresses

  • Extract URLs - leave only URLs

  • Split - split results at repeated delimiter

  • Defang URL - make resulting links readable but unclickable

The Task

Gather information from last task’s attached file.

All flags captured. I really like the focus on documentation and prepping things for documentation to hand on to the next team this year. Having had to dig through poor and lacks of documentation this is a good sleight of hand to slip the training/expectation in to prevent poor documentation in the future.