One of the more popular Cobalt Strike attacks involves building an Office VBA payload. Unsophisticated attackers will not likely modify the generated payloads from the framework. This gives a defender an easier opportunity to find CS payloads and easily dump/analyze them.
The following tool (Python3) will help an analyst or security system to discover functionality of the embedded payload. Once extracted, you can use an online disassembler like ODA to analyze the x86 shellcode. Keep in mind it has both code and data embedded. Hence we leave possible decoded ASCII in a separate view.
#!/usr/bin/env python3
# (@) - Extracts shellcode from Array() in VBA Macro attack
# Also prints possible ASCII values embedded in payload
#
import sys
import re
content_file=sys.argv[1]
contents = ''
try:
with open(content_file, 'r') as f:
contents = f.read()
except Exception as e:
print(str(e))
print('Usage: python3 ' + sys.argv[0] + ' <generated_vba_file>')
raise
start_location = contents.find('myArray = Array(')
end_location = contents.index('If Len(Environ("ProgramW6432"')
what_we_want = contents[start_location:end_location - 1]
what_we_want = re.sub(r'^.*?\(', ' ', what_we_want)
what_we_want = what_we_want.replace(' _', '')
what_we_want = what_we_want.replace(")", "")
what_we_want = what_we_want.replace(',', ' ')
disasm_this = ''
text_this = ''
for element in what_we_want.split(' '):
if not element:
continue
new_number = int(element)
asm_num = format(new_number & 0xff, "02X")
disasm_this += asm_num + ' '
if new_number < 0:
continue
text_this += bytes.fromhex(asm_num).decode('ascii')
print('x86 payload:')
print(disasm_this)
print('\n\n')
print('Possible ASCII data found:')
print(text_this)