 I received a malicious sample with shellcode and I'm going to show you how to analyze this. Now to simplify things I made my own demo. So let's take a look at the file. So stream7 contains the macros and this is the macro. So this is the VBA code and you can see here an array and this is how the shellcode was defined in the sample with an array of continuation lines with a lot of numbers. So how can we analyze this? It's something that I've shown before. We can use my tool numbers to hex. This tool will extract numbers from the standard input and convert it to Xcode like this. Now this time here the shellcode is a bit different. We don't have values from 0 to 255, that's what numbers to hex expect, but we have also negative numbers. So the bytes here are signed bytes, not unsigned bytes but signed bytes. And that's why that I added the option dash s for signed bytes. And then we can convert the negative numbers and the positive numbers to hex code. This is the hex code. Now you can see here the shellcode but also 0 1 and 0 0. Now this is not part of the shellcode but this is other numbers found inside the file. Let's go back here like this. So here I have a variable that I signed of value 0, the number 0. And that is a number that is also extracted by numbers to hex. And then here you have a digit 1, this number is also extracted. So we don't want these two numbers, we only want the shellcode. And I have an option for that, like this. And that's the option dash n, n allows you to specify the minimum numbers per line you want to find. So here we want at least two numbers, like this. And by doing this we only have the shellcode, not the two numbers. So now I can, for example, convert this to binary. And my tool next to bin that I've shown before. And then here you can see a URL and URLmon.dll. I can, for example, also copy this to the clipboard and then paste this in a hex editor and analyze it. Or I can also save this to disk, like this. And then use the shellcode debugger. It's actually an emulator to emulate the shellcode and see what it does. And here you can see that the shellcode loads library URLmon, allocates memory, gets a temporary part, allocates another memory, gets a temporary file name. And then here downloads to a file here, this file, and then executes this file.