 Hello, DDS Davens here, Senior Handler at the Internet Storm Center. In my diary entry DOC and RTF malicious documents, I analyze a malicious word document using my tools and we determine that it downloads an RTF file and then we also analyze that RTF file with my tools. Now in this video, I'm going to do the analysis of the DOC file with Cybershift. So I have Cybershift here with recipe input output. Here I have the malicious word document. Let's drop this here and we already see that it starts with PK. So this is probably a zip file, so an OOXML file. So that must be a DOC X or a DOC M, something like that. We can verify this with Cybershift doing detect type. Now what I did in the previous video was drag and drop like this. But reader told me that I can also double click like this and then it appears here. So detect file type and we see indeed that this is a DOC X, XLSXPPTX file. So an OOXML file that we can analyze with Cybershift because there is unzip functionality. So unzip double click and you can here already see the files inside the zip container word. So this is a DOC X or a DOC M file. Next we are going to extract the URLs from all those embedded files. So extract URLs, double click and here already you have the list of all the URLs found inside the files inside that DOC X or a DOC M file. Most of these URLs are legitimate, they are normal that you have them except that last one here with the IP address. So we already have extracted the URL that interests us. Now here I'm going to apply some filtering so that we filter out the legitimate URLs. So I can type a regular expression here HTTP colon slash slash schemas dot. So a dot matches anything, any character in a regular expression. So I'm going to escape this to match the dot character, open XML formats not org slash. And now I'm going to invert my selection to filter all the URLs that start with this out. So now I have other URLs schema schemas microsoft.com that I can also filter out. So double click HTTP like this invert the condition. And now we have only two domains left pearl.org and w3.org. Double click another filter HTTP invert and the last one invert. And now we have filtered out all the legitimate URLs that you can find in OO XML files. And what remains are potentially suspicious or malicious URLs. And of course if you want to define this, this is something too that you can do here with this step and then the URL is defined. Now this recipe here, you can use this for any OO XML file that might contain URLs. It's not limited to this malicious one here, you can try any one out. It will not work with dog files, therefore you have my other video for Cyberchef for OO XML files. You can use this recipe.