LetsDefend — Remote Working Challenge Walkthrough
Investigating a suspicious XLSM file with VirusTotal
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog while searching for a comprehensive walkthrough of the Remote Working challenge from LetsDefend, you’re in the right place.
In this scenario, we’re provided with a suspicious Excel file, and it’s up to us to determine whether it’s malicious or not. To do this, we’ll collect the file hash and hunt on VirusTotal to see what we can learn about the sample.
This challenge is perfect for beginners and serves as a primer for using VirusTotal for triage, rather than focusing on static analysis of the malicious file directly. However, it offers great practice opportunities for all skill levels. Sounds like fun, right? Let’s get into it!
And if you find this walkthrough helpful — whether it levels-up your skills, gets you over a stumbling block, or serves as a handy reference — please give it a clap and consider following me for more content like this.
Thanks for reading and going on this investigation with me!
Challenge Link: https://app.letsdefend.io/challenge/remote-working
Challenge Scenario:
Analysis XLS File
File link: /root/Desktop/ChallengeFiles/ORDER_SHEET_SPEC.zip
Question 1: What is the date the file was created? (UTC) Answer Format: YYYY-MM-DD HH:MM:SS
Let’s kick off this challenge by extracting the sample file from ORDER_SHEET_SPEC.zip within the ChallengeFiles folder.
Inside, we’ll find a macro-enabled Excel file, ORDER SHEET & SPEC.xlsm. While a macro-enabled file doesn’t necessarily mean it’s malicious, it does raise some suspicions, especially if it was delivered over email like in a phishing campaign. But that’s what we’re here to figure out!
We’ll start our analysis with getting an overview of the suspicious file by grabbing its SHA256 file hash. With this unique hash, we can pivot our search to an external threat intelligence service, like VirusTotal, to save time in our analysis and quickly determine the file’s status.
We’ll grab the file hash of the sample directly from a terminal window within our analysis environment by right-clicking in the folder and selecting “Open in Terminal” to launch it.
Once in the terminal, we can use the command below to calculate the SHA256 hash of the sample:
sha256sum 'ORDER SHEET & SPEC.xlsm'
With the file hash in hand, navigate to VirusTotal and submit it to see if the file has been previously analyzed. Once the results load, you’ll notice that most security vendors have already detected the file as malicious.
To find the answer to Question 1, navigate to the Details tab of the submission, and look under History to find the file’s creation time.
Real World Tip: If you’re new to using VirusTotal, it’s important to remember that public submissions are made available to the security community. DO NOT upload anything that contains personal or confidential data.
Question 2: With what name is the file detected by Bitdefender antivirus?
Navigate back to the Detection tab of the VirusTotal page. Under the security vendors’ analysis section, locate the malware threat name reported by Bitdefender.
Question 3: How many files are dropped on the disk?
Continuing our analysis, let’s determine how many files are dropped on the disk once the malware is executed. We can locate this information on the Behavior tab, scrolling down to the Files Dropped section, and counting the entries.
Question 4: What is the sha-256 hash of the file with emf extension it drops?
Expanding on the information we collected in the last question; we need to locate a dropped file with the .emf extension. Once we've found it, press the + button to expand the selection, revealing the SHA256 hash of the dropped file.
Question 5: What is the exact url to which the relevant file goes to download spyware?
We’ve made it to the final question! There are several spots within VirusTotal where we can determine the network communication but for this walkthrough, let’s use the Relations tab and focus on the Contacted URLs section.
Of the two URLs, we can see that one of them is hosting an executable file. That’s pretty suspicious…
Clicking the URL entry will take us to the VirusTotal page for the URL where we can see that several vendors have identified it as malicious. I think we’ve found the answer to Question 5! Now let’s wrap up this investigation!
Conclusion:
Mission accomplished! By leveraging the power of VirusTotal, we successfully analyzed the malicious Excel file and learned about some of its behavior, including creation time, dropped files, and second stage URL. Now that we’ve completed our objectives, let’s close out this walkthrough of the Remote Working challenge.
A big thank you to LetsDefend, for the fun lab. While this challenge isn’t especially difficult, it’s good hands-on practice using VirusTotal and exploring some of its lesser-used features. These types of challenges would have been especially useful earlier in my own security journey to better understand what tools were available with practical applications to test with. I hope that this challenge helped pique your interest in using VirusTotal in your own workflow!
Thanks for your support and for going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
Microsoft Support — File formats that are supported in Excel: https://support.microsoft.com/en-us/office/file-formats-that-are-supported-in-excel-0943ff2c-6014-4e8d-aaea-b83d51d46247
VirusTotal: https://www.virustotal.com/
