 Hello, the dear statements here, senior handler at the Internet Storm Center. In this video, I'm going to perform an analysis of a malicious document with CyberChef and just looking for strings, so it's a string analysis. Xavier Merthus wrote a diary entry about an interesting Muldock he found. It's a spreadsheet that combines VBA code that generates Excel 4 macros to then download Quagbot. Now his sample is not on VirusTotal, but I did some searching on VirusTotal and I found a similar sample that we are going to analyze here now. So the sample is on VirusTotal and if you want to follow along, you can also find it on MalwareBazaar. So strings analysis consists of extracting plain text strings from binary data and then just looking at the strings and trying to figure out what the malware is doing. And here, this is a sophisticated malicious document. It combines techniques where VBA generates Excel 4 macros, but despite that, the URLs that are used are still in plain text somewhere in the Muldock file and we can extract this. You have many tools to extract strings. Here I'm going to use CyberChef. So the first thing I do in CyberChef is to set the Muldock as input. Next I'm going to search for the strings operation and I add this to the Recype and then here you have all the plain text strings in the Muldock. And if you search through this, you will find somewhere URLs. Now I just don't want to search through all the strings. So what I'm going to do is look for URLs and you can do that with a regular expression. So I search for regular expression operation. I add this to the Recype. I'm using a built-in rig for URLs. And my output, I only want to see the matches and nothing else. And here you have the URLs. Now a remark, if we go back to Xavier's diary entry, he uncovered URLs like this. That is because the Excel 4 code contains logic to add a timestamp and add .dat at the end of the part here of the URL. But despite that we don't have the complete URL that the document would generate, here we have the target, the IPv4 addresses. And these are good IOCs that we can use.