 I want to show you a couple of tools that help me with malware analysis. So here I have a malicious Word document inside that zip file. It is protected by password, password infected as is usual for malware. Here you have the doc file. And a tool that I developed to analyze malicious Word documents in Excel. It's called OliDump because the file format here of those doc and XLS files is the Oli file format. So as you can see, OliDump can extract the malicious document from the zip file and then analyze this malicious Word document. And as you can see here, there's a macro in here. So we can have a look at this macro. We select stream 7 and we are going to decompress the macro because the macro text is compressed. And here you have the macro. And as you can see, it is obfuscated. So what I did, I developed a plugin that will help us to obfuscate this macro. It's called VBA Summary. Sorry, I forgot to provide the file. Here you go. Okay. So and again, it finds the streams and here then when it finds a macro, it will select all the lines that contain the word function, the word sub or a string. So code character. So and this is actually the same macro code, but it's already more of a summary. It's easier to see because a lot of the obfuscation and how it's gone, you can see here that you have an X or I function, an hex to string function, out to open, out to open word book open, and then here a function with a name that cannot be pronounced. And you can see open here with a call to X or string and things like that. So if you take a bit more time to analyze this, you will realize that the URL here is actually in this variable because we have this function here that is called with this variable and then environment and so on. This is actually the URL here, this hex string, which is encoded with this hex key. So you can, for example, decode this with the script that I wrote for the zero 10 editor by copying this hex string, pasting it in a zero 10 editor and then decode it with this key. So we are going to do that. And here in the command line, it's a bit difficult to copy. If we do, for example, this, you can see it does a block copy, so that's not very useful. Now I have also a special program, a tool, it's called sent to CLI, it's a GUI application that helps you launch command line applications. So when it works like this, you right click here on the file name, you do a send to and you send to CLI. And then this program here comes up that I developed. So here you have the file name on which we are going to work. This is the directory in which we are going to work, the working directory. And then you can select the command that you want to execute here from pull down script. So let's do this here, this command, this is our command. Run only dump the plugin VBS summary. And when you run it here, you saw Python briefly appearing. And then here now you have the output in this GUI application, which is much easier to copy. So let's do this. So as you can remember here, this is the name of the variable that contains URL. So let me select this, this hex text. And here in 010 editor, I'm going to paste this from hex text. Okay, so these bytes here are the encoded URL. This is the key. So let me copy the key like this. And then I will run my script XOR selection that allows you to XOR. So I provide the key. Since it's a X key, I start with 0X like this. Okay, and now here you can clearly see the decoded URL. Now you may remember that I also have a plugin with the HTTP heuristics. This plugin was not able to decode the string, but I also updated it so that now it also take into account that strings can be XOR encoded. And if you run this plugin now, here you immediately have the result.