When I downloaded the [doc file](https://github.com/mar232320/ctf-
writeups/raw/main/davinci/2022/verybadscript.doc)  
I opened it in libre office without executing the macro. I copied the macro
code and started to reverse-engineer it  
The [macro](https://github.com/mar232320/ctf-
writeups/raw/main/davinci/2022/macro.vba) was obfuscated. I renamed the random
function names and got the partly [deobfuscated
macro](https://github.com/mar232320/ctf-
writeups/raw/main/davinci/2022/makro.vba) with xor decrypting function. I
modified the macro to display the xor password  
which turned out to be  
`Qx7BM0v9GDD2YYgfAxtWm2CShiUx2ikHTazpgtf90bEGuUwk46nFlDwmJFfGuLcFxp30f7iQpYIogbVhjqV9Us03sJNQqFTrViarTSJzNBnXY5rFYy6QVxwqfqQrAKUHa3PBu81C4zT4YRE3jX8lFiNQ7JHQBVuXAEQXIajamj1EDqa9n34eHZ7y0XbfuxPt7pMjWo7Jm0btMvzatyCPbZjczioyr3RbIbZDklpZDvbZdKnjKZroMg6EzZA1y2`

I made a [python script](https://github.com/mar232320/ctf-
writeups/raw/main/davinci/2022/vbsolver.py) to decrypt all the xor strings in
the macro and there I found that the macro doesn't do anything malicious but
sends a message with the flag via post request to `http://dvc.tf:9001`

[final.vba](https://github.com/mar232320/ctf-
writeups/raw/main/davinci/2022/final.vba)

# dvCTF{vb4_0bfu5c4710n_5h3n4n164n5}

Original writeup (https://github.com/mar232320/ctf-
writeups/blob/main/davinci/2022/verybadscript.md).