 Hello, I'm BDS Davens, Senior Handler at the Internet Storm Center. I wrote a diary about a malicious office document with XOR encoding and I used Cybershift to do the decoding and that's what I'm going to show you here in this video. So I have the malicious document here and as you can see it contains macros. So let me select all those macros and decompress them and here you see something like this. So this looks like base64 with a function to do the decoding of the base64 and then you have this here with a function. So this looks like XOR decoding and coding where this is the encoded text and this is the key. We can grep for XOR and indeed here there is a line where you can see XOR going on so it's probable that this is indeed XOR encoding. So let's grep for this function name like this and here we have different encoded texts that we will try to decode. So now I'm going to use Cybershift to do this. So if you google for Cybershift you will end up here finding Cybershift, the Cyberswiss army knife and when you visit this website here you can build up a re-sype of different operations and then you provide your input and you see the output. So what I'm going to do here is do the decoding, try to do the decoding to see if this indeed XOR. So my first idea was that this here is base64 so I'm selecting this string, I copy it and here I take an operation to do the base64 decoding so I drag this into the re-sype and this will do base64 decoding and I can paste the code here and then you get this here. So this is probably binary data that is XOR encoded so let's try now to do the XOR and here in encryption sorry in encryption encoding here you will find XOR so let's drag this into the re-sype so this will be the next step. So we are going to decode this here with XOR so what I'm going to provide it is a string so let's take UTF-8 and this is what I suspect to be the XOR key let me copy this and then I paste this here into the key and then indeed you see that it is the XOR encoding with a key here because we get now a URL that is decoded here and now of course we can just take something else like this here let's take that encoded string replace that here like this yeah and now we get the file name so this is very likely a dropper that down those from that URL then then writes to this disk file and executes it and let's see what this is yeah and this is xml HTTP object that is used to do the decoding so this shows you how you can use the Cybershift with the GUI tool and because this is not command line this is with a GUI interface to help you analyze and decode encoded obfuscated strings that you might find