There were several packets showing that the victim had downloaded the phishing file
Extract Drill_2024.doc from pcap for analysis
Analyzing the excel file using olevba or oledump
$ oledump.py Drill_2024.doc
1: 114 '\x01CompObj'
2: 4096 '\x05DocumentSummaryInformation'
3: 7503 '1Table'
4: 492 'Macros/PROJECT'
5: 137 'Macros/PROJECTwm'
6: M 2483 'Macros/VBA/Module1'
7: M 6382 'Macros/VBA/Module2'
8: M 20149 'Macros/VBA/Module3'
9: M 36507 'Macros/VBA/Module4'
10: m 962 'Macros/VBA/ThisDocument'
11: 12430 'Macros/VBA/_VBA_PROJECT'
12: 8735 'Macros/VBA/__SRP_0'
13: 226 'Macros/VBA/__SRP_1'
14: 8635 'Macros/VBA/__SRP_4'
15: 238 'Macros/VBA/__SRP_5'
16: 156 'Macros/VBA/__SRP_6'
17: 5164 'Macros/VBA/__SRP_7'
18: 2482 'Macros/VBA/__SRP_8'
19: 194 'Macros/VBA/__SRP_9'
20: 630 'Macros/VBA/dir'
21: 4096 'WordDocument'
Hhere are 4 modules that contains macros and they are obfuscated.
JERWafGg is for base64 decode:
Module 4 performs string concatenation then base64 decodes with JERWafGg function and runs it
…. 
Finally it is executed using winexec in module 3
String concatenation and base64 decoding can be done manually or debugged directly in Visual Basic
So macros download the powershell script from https://gist.githubusercontent.com/hackdametaverse/8cc9471c0e012c69668db93cc6c927e5/raw/2e85b673b8faf5d9758e9a594b71af82cb167c7a/github.ps1 and save files to Temp folder and execute it
Powershell script continues to be obfuscated using some reorder and replacement techniques
Base64 decoding and deflate decompression
The code looks like a program to control the victim’s computer
It connects to C&C to receive attacker’s control commands, all data sending and receiving processes are encrypted with a hardcorded key in AES CBC mode
$VpGngCQ0kcYj3OoP22Jr is the key
Decrypt data:
Filter all requests for attackers to send to the victim’s computer
$ tshark -r KeeperInTheNet.pcapng -Y "tcp.srcport==4953" -Tfields -e http.file_data | grep "\S"
YDUCSR
RTelz+cWafdZuWR52gVKaRx36oZd/LGD7T4SbZBfW/jqjWuNFxhtZV8GZ+TYDvxO
rZilVUcqMoBkcgJcejUMITVWCK2LHEOs/49TUAJR4KwdyWcut6tYRegHiqVKei1x
DACM08vDgpioV1yTEA6iiolz5sYJ02ZEVnLE28ZX19vtBXL/GU6bs2n3bswLlfT/Ui/CaPYYbXyFGhf3GG8aSU3I2OpR8xKZTN7Ah7rdLi4=
9Z/hprDhR9AzaBOwPaYnxm0vLFJWjFeIXHVkP8rFQRY=
R1TKRlROsvN7wLYZpVgo0MNn/QKpiISEE6Dys1JfqgihzBScki5mHbXi7Z+qwivdWmmdg81tbyb06iQJyqvQQw/LWeHPltQIEMldk63dVeHL4GoDH3HQHoU/qzSF+U8iH6Sg3J5jFAmHJ9C
vIMN8P/ykK9DWJ1iUqy+k1aeq/kwBF1Xx/Twkf5qwMz8yLCcMEWkmofxfATnWkwX/PTAF/4TjOdVJOgmz61BgA==
tqNjyyZPxAbpG5oI06wQD12xNrxnmHCzF37Lz9ka2pBCMuPqD/PYepUgZcGWnK2sXbbgJmgC+PdpHDzluodvj7hx4oXJyfm7kf04oaomkrc=
X0nETci3iy6rryuHssI9KYAQozb39v/nFL+RBVz4p/ZHCyXSlTp4/m/tCXYqHy72wCBkY7Ckg8C7PlER4WO8usnWo96IiYQhMuIVWzfXeb8AkP2lhL1kbEkRN7YYxDbmzw0IO0nfZ6hDFE1
Filter all responses returned by the victim’s computer to the attacker
$ tshark -r KeeperInTheNet.pcapng -Y "tcp.dstport==4953" -Tfields -e http.file_data | grep "\S"
name=Desktop&type=p
result=rbqA0td2aIZzzE4Q5LYitDDQcpMz%2FgSbMWbTceiStH3ZK8VvGQxF%2BOc7%2Fp2PSgDw
result=oL%2FlVfK65Jw4qEiwQGpqhX8OEFEgtkKe%2FN9JA85y7Ur%2BiXZy1QipEYrMYARwm3hNEeIBhGkrQk5ypfdZQ51lPE4Bsn7RNiD6mrzzFd%2FJfgSceATcyB8kxAs0xrvOfTYW
result=I5liQ%2FBaSNMb1PhIVz8LMltNpCrmF4ThvykJwL0CKa8%3D
result=I4xR%2BpGs07nJ6IyqZSzTH%2FABiKzvZac2UYjjj5ZpOMdMQdV1LYoOCeBniQKjwsSNxLmqodg1ZbJ%2FQ9vErtoMxfMvMSJ6fsAcP4myqxD%2FLMjANpm9XPp9LdNjU9w3Stpm
result=wRMk5d%2FagURzTFrvU4E3Y2TJBuPKr9hdyoxzy59a3WQ%3D
result=OvY2N3B4gzO%2FYIT6Kjy9%2Bp9EhFmCVEYXl3AD4qHWNbw8T7hSq%2F5PTiKmB8nSN8%2BgtDy4hOIZwOWN8Emz%2BiiIM7GBivi%2F0hmfREPF%2BrWutMGCGM%2Bxfe36h3AG
