This is the link for the room Malicious VBA
Download the Malicious file -> Virus
Let's go!
First you must download the file, after you downloaded the file open the file with notepad or notepad++
This is the spoiler for the file.
We can see the Virus has Hex code. We can translate the Hax code with CyberChef
And you can translate one by one until finish.
Note: You must see format answer {Answer}.
The document initiates the download of a payload after the execution, can you tell what website is hosting it?
Answer: {https://tinyurl.com/g2z2gh6f}
What is the filename of the payload (include the extension)?
Answer: {dropped.exe}
What method is it using to establish an HTTP connection between files on the malicious web server?
Answer: {msxml2.serverxmlhttp}
What user-agent string is it using?
Answer: {Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)}
What object does the attacker use to be able to read or write text and binary files?
Answer: {ADODB.Stream}
What is the object the attacker uses for WMI execution? Possibly they are using this to hide the suspicious application running in the background.
Answer: {winmgmts:\.\root\cimv2:Win32_Process}