 About a week ago, I received another malicious document and when I took a look at it So it was actually a doc file The extension was doc, but when I took a look at it, I saw that It was actually an XML file XML with utf 8 encoding if you look at the HexDump here You can see the sequence EFBBBF Now if you see that sequence at the beginning of a file Then it is an indication that the file is a text file with utf 8 encoding So you can recognize the XML now this time The XML file here Did not contain macros So if you look here at this property W colon macros present the value is no so it doesn't contain macros But it contains something else this time. It's yet another trick W embedded object present This one is yes So the value of this attribute is yes, which indicates that this XML file Contains an embedded object. So an only object So let's scroll down and we will find The embedded file Okay, here you can see it bin data and The name of the file or a data dot MSO So this is the base 64 encoding of that file. Let's select it and decode it Like this okay, I copy it I Start a new file and I do a paste from base 64 Like this and now you might already recognize this. This is actually the header of an OLE file Let's look at the hex. You can see D0 CF 11 E0 With kind of reads like a doc file So this is the indication of an OLE file So let me save this OLE file like this and Now I can have a look at it with OLE dump I'm going to use my send to CLI tool Sorry Like this send to CLI This is just Go interface for command line So this is the file I'm running OLE dump like this Okay, and it contains one stream So let's select this stream stream one Okay, and you can see zero zero sixteen zero zero zero and then seven eight nine C and so on Now seven eight is often an indication of a compressed ZLIP compressed Stream, so let's try this out Let's try if it is indeed a compressed stream So I do a hex dump like this I copy it and I take again My clipboard transformer So this is the hex dump and I'm guessing that this is compressed data, so let me delete this one here and Now I can use my Option here inflate Okay, and it worked. I got no error. So this is indeed a compressed file and as you can see here It starts again with doc file. So this doc file Contains another doc file. So this only file contains another only file So let's analyze this again So in my ex editor, I create a new file and I paste from hex text like this and Here I have again my only file and here you can already see some VBS code So let's save this file and let's have a look with the only dump Okay, and here we have a stream with name welly 1 0 native if you see that You know that this stream contains an embedded object So you can select this stream. That's stream 3 And here you have the exile asky dump now We Know that this is an embedded object. So you can use option I To get the information of the embedded object the metadata So this is the name of the object File that was embedded. So it's a VBS file This is the folder where it was Located and this is the temporary folder where it was saved to execute and this is the size We can also view the embedded object itself by extracting it. That's with option E like this Okay, and as you can see here it is VBS code this here looks like base 64 So let's try this Let me copy it a New file in my hex editor and then paste From base 64. Yep, and indeed it decodes as base 64 and you can see that it launches a PowerShell command So after launching a PowerShell shell This script here downloads a file from this URL Saves it in a temporary folder with a dot cap extension Then it expands the downloaded cap file to an exe file and then it runs the exe file