 I made a small program to help you extract base64 strings from streams and analyze them. It's called a base64 dump. So I'm going to show you how to use it when analyzing a malicious document with only dump that contains the payload encoded as a base64. Okay, so here we have the malicious document with all the streams. Here you can see macros. So let's take a look at the macros. I will select all streams and dump the VBA code. Okay, so in here we see a base64 decode function and here is another script and another decode base64 function. And then here we can see script shell. So now it becomes interesting. You can see that the file is created called windows.exe and that text box1 from user form is base64 decoded and then is assigned to variable xe which is then written to that file and after that it is executed. So what happens here is that the base64 string that is in the text box2 here is extracted, written to disk and executed. Well, let's take a look. Okay, so here we see user form 2, a couple of streams, user form 2 and here A6. This is a large stream. So let us take a look. I select stream A6 here and this is probably base64 encoded here what you see here. So what you would have to do now is extract this and decode this as base64 and then analyze this and that is why I made that small tool base64 dump to help you with that. So what you do now so we select stream A6 we dump it and we pass this on to base64. Okay and that's it. So base64 dump found three base64 strings inside that stream. Here are the sizes 400,728 bytes, 36 bytes and 4 bytes and here you have the beginning of that base64 text. So this looks like base64 encoded, this looks like base64 encoded and here Excel although it is valid base64 encoding this is probably not real base64 encoding. Next column here you have the decoded base64 string. So you can see here this one starts with mz. So this is most likely a pve file and executable. This one here is a scripting file system and this one here doesn't sell anything and here you have the md5 hashes of the decoded content of the base64 so you can use that to look it up for example in virus total. So let me select first that second stream. Okay yeah and you can see here it contains a string scripting file system object and then the first stream if we pipe that. So okay you see mz here then this program cannot be run in those modes and here you find pe so it is definitely a pe file.