 Hello, we are the reader. Jeff submit a malicious document to the Internet Storm Center and I will analyze it here in this video We will take only dump to analyze this document and Indeed, so it is an oily file that contains Microsoft here We have these two streams eight and nine with the m indicator We'll take a look at stream eight first. So I select stream eight and I decompress the macros And let's pipe this through less okay, and This looks here like obfuscating code mean these are strings That don't actually look like something meaningful and they are also repeated. So this is probably all Obfuscated code to make analysis harder here. We see an outer open So there is definitely something that will execute automatically when the document is opened Yeah more of those strings Yeah, so so this looks for a large part to be obfuscated code and What I like to do Sometimes in those cases is to filter out all the lines and only Show the lines that contain a dot character So I can do that with grab looking for a dot and I'm using the uppercase f option Otherwise the dot will be interpreted as regular expression, but I'm not Wanting to search with a regular expression. I just want to search for a dot like this Okay, and now you see here. I have a few lines. The dot is a Operator that is used for methods of objects and it otherwise is not used a lot in VBA code So it's a trick to filter out quickly Meaningful code from obfuscated code So here a couple of interesting things and we see here a create object With a run so something will be executed and here also in the active document in the built-in document properties we access the comments Okay, so something is stored inside the comments and this is probably the code to be executed Because if you look here at the variable name This variable name here appears to reappear here with create object run So it looks like this contains code that will be executed So let's take a look The comments are in the metadata and you can dump out the metadata with the option uppercase m from olidump Here we have metadata and here this is something that looks certainly like base 64 So we have comments here and then the long string that looks to be base 64 We can analyze this with base 64 dump So let me hear yeah Dump it the metadata and then pass it into base 64 dump now because base 64 dump will react on a lot of strings on the small strings inside here the metadata and we only want Actually to look at that large string I'm going to say that the minimum length of the coded string is 10 bytes like this and Then I only have one output instead of a lot of false positives and This looks indeed to be some kind of script in Unicode probably So let's select this one select one so indeed we have 2454 bytes and 1227 of those bytes are null bytes. So exactly half of it. So this is definitely Unicode We can do an ASCII dump and yeah This looks to be a PowerShell script in Unicode so we can dump this as a string and Base 64 dump can base can base 64 dump can dump strings with uppercase S option like this And this indeed looks like a PowerShell script with some obfuscation here the back quote here in the variable name So the back quote will know have no effect. It will just be in your and then you can see here parts parts of strings Here too, and we can recognize parts of URLs ttp agronus.com artist visa.com So what's happening here here you have the f operator And the f operator is the format operator in PowerShell. It allows you to format strings like this with values that you give it so Here we want first the second string So the the second string here, that's HTTP. So we start from zero. That's zero. That's one. That's two So HTTP that's a second string then the 31 string so I have to count here 31 find the 31 string And then I can concatenate that string Now that's a bit tedious to do But this is since this is just a simple string expression we can actually Have it evaluated in PowerShell without any risk. It will not execute So let me do this here So first of all, I will cut out That expression so let's say with 200 starting from character 200 Okay, so I still have to move down a bit further and I did this before so I have to select from character 310 to characters 1771 like this and then here I have the actual format expression so I have here the string with the positional arguments The format operator and here the different strings this I can Execute in PowerShell and here on my Mac, I also have PowerShell installed because now you have PowerShell for Linux and It will run on different variants of Linux and also on the Mac on OS X And I pipe that expression into PowerShell I give it the dash filename to indicate that The input comes from standard in and then PowerShell will evaluate it like this and here I have my different URLs from which the malicious document via the PowerShell script will download and executable and execute it