Mr. Phisher

Image by

Image by

In this room, you are tasked with analyzing a macro in a word document. This walkthrough is intended for students having limited programming experience and will try to explain the macro code. The room can be found on TryHackMe.

Inspect macro

Does it contain evil code?

Libre office writer makes it possible to inspect macros without running it. To find out what the macro did, I opened the word document in Libre office, and, opened the "Tools" drop-down menu, then "Macros", before I clicked on "Edit Macros". This opened Libre Office Basic, a nice macro IDE (Integrated Development Environment).

Screenshot from Libre Office Writer

Open the macro editor in Libre Office Writer

Inside the Libre Office Basic, macro editor, I browsed through the file hierarchy inside the PrPhisher.docm document looking for macros. Inside Project/Modules, I found a macro document called NewMacro.

Screenshot from Libre Office Basic

Locating the VBA script in Libre Office Basic

Looking at the script it looked like it was looping over the content of the array stored in the "a" variable. Doing a quick google search on the UBound() function and reading the documentation, I learned that it was used to get the length of an array.

Inside the for-loop, the current index in the "a" array was binary XOR'ed with the loop index, and the resulting binary value was type-casted to a character was added to the end of a string stored in the "b" variable.

Armed with this knowledge I knew that the macro was not malicious, and I suspected that the "b" variable would hold the task flag at the end of the for-loop.

Enable macros

By default macros are disabled i Libre Office

Libre Office has a security feature that by default disables all macros. To play around with the macros in this document, macros had to be enabled.

To enable macros, open "Tools", and open options.

Screenshot from Libre Office Basic

Open options in Libre Office Basic

Inside options, navigate to LibreOffice, security, and open "Macro Security..."

Screenshot from Libre Office Basic

Open the Macro Security options

Inside the Macro Security Options, I switched to the medium security level. This security level opens a prompt asking if macros should be enabled.

Click enable, ok, close the options, close the document, and re-open the document again. Now you will be prompted to allow macros to run in the document. Click allow, and open Libre Office Basic again.


Reading what is stored in variables

Libre Office Basic has a powerful debugger that can be used to step through each line of the script. To set a breakpoint and be able to read variables stored in memory, I had to set a breakpoint, and enable "watch" on the "b" variable to get the decoded string.

To set a breakpoint I clicked on line 10 and set a breakpoint at that line.

Screenshot from Libre Office Basic

Set a breakpoint

This will stop the script from executing when it hits that line. By setting a breakpoint on line 10, the script will stop after the loop has completed and at that point, the conventions of the numerical values stored in the "a" array will be converted to a text string stored in the "b" variable.

To watch what value the "b" variable holds, I added it to the watch list. This was done by typing in "b" in the watch field and hitting enter on my keyboard.

Screenshot from Libre Office Basic

Add the "b" variable to the watch list.

Now I could run the script and watch it stop when it hit the breakpoint in the code on line 10. When the script stopped on the breakpoint, the value stored in the "b" variable could be read in the watch list.

Screenshot from Libre Office Basic

Reading the decoded flag