TryHackMe — REMnux: Getting Started | Cyber Security 101 (THM)

File Analysis

In this task, we will use oledump.py to conduct static analysis on a potentially malicious Excel document.

Oledump.py is a Python tool for analyzing OLE2 files, also known as Structured Storage or Compound File Binary Format, which Microsoft developed for storing various data types in a single file. This tool is valuable for extracting and examining the contents of OLE2 files, aiding forensic analysis and malware detection.

Let’s start!
Using the REMnux VM, navigate to the /home/ubuntu/Desktop/tasks/agenttesla/ directory and run:

oledump.py agenttesla.xlsm

You will see a list of data streams. The data stream labeled with capital M indicates a macro, which we should examine.

To check it out, run:

oledump.py agenttesla.xlsm -s 4

This command targets the data stream of interest (A4: M 688 ‘VBA/ThisWorkbook’).

The output is in hex dump format, which can be hard to read. To make it clearer, we’ll use the --vbadecompress parameter:

oledump.py agenttesla.xlsm -s 4 --vbadecompress

Now, the script is more readable. We are particularly interested in the variable Sqtnew, which contains elements that may indicate malicious activity, such as a Public IP and executable files.