 Hello, we received another malicious document at the internet storm center and here is a quick video of the analysis So we received a malicious document inside a zip file and with only dump we can analyze this Okay, but we get an error Bad password for file So only dump can handle documents inside zip files and the zip files may be password protected provided that the password is infected But here it's not the case. We get a bad password for file error. So the password is something else than infected now with zip dump we can do a small dictionary attack using a password file option and Then we have to provide it a file name that contains our passwords we want to try out. So for example dictionary But you can use the internal dictionary of zip dump by giving file name dot then you will use the Internal dictionary from zip dump and then we can pass the file Okay, and indeed now we can analyze the file and tell us that it contains a document So it found the password the password itself is not displayed If you want to know it use another option Password file stop and the stop means that Zip dump will stop after it found the password. It will not analyze the file Okay, so here we see the password one two three one two three so now We can use zip dump to analyze this file and to extract The content of the file and dump it to standard out And then we can pipe it into Oli dump like this And indeed it is a document with macros So the first stream with macro series stream 8 So we select stream 8 and We want to decompress the macros Okay, and here. Yeah already you see a long co-contenation of variable names here array with Smaller strings and here other strings So this is most likely another emote sample like the one we analyzed before in the or sans ISC diary entries So this one too here, we are going to try to analyze with the VBA emulator the Viper monkey So I have Viper monkey V monkey. That's the analyzer. I have to tell it the password one two three one two three and Then I'll provide it with the document and now it will analyze the document and the code and try to emulate this Okay, but this failed here. We will get no output at all. Oh, I mean no output that will tell us what the Manages pay reload is actually But there is a solution for that and That is to use the same Viper monkey command But with option a and that's what we'll use an alternate parser Because Viper monkey is still in development and this here will take a bit longer to analyze So the analysis is done and let's call back a bit Okay, and here we see something that looks like base 64 So we are going to try to dump this to analyze that base 64 text with the base 64 dump So I'm going to pipe this into my tool base 64 dump and look for a Larger base 64 string So at least 100 bytes Now if we run the command like that, it will not work Because Viper monkey is actually outputting the base 64 string and and those other commands to standard error And so this to the output stream standard error and not standard out and when we use a pipe It's standard out of this pipe then not standard error. So what we are going to do is to Merge the stream standard error and standard out together and you can do that like this to for Standard error and we are going to merge this with Standard out like this. So this will merge the two streams together and it will be Standard out and that will be piped as standard in into base 64 dump like this This will take some time Okay, and indeed. Yeah, we have base 64 that starts with PowerShell. So this is indeed a payload So let's select this one and dump it Because it's text we can just dump it And this will take some time and here now we have the payload So it's a PowerShell command and as you can see it will download here from this URL Write it to discuss an XA and then execute it