 Hello! Over at the Diary of the InternetStormCenter, my latest Diary entry is about a malicious document that contains an embedded VBS script and this VBS script is a downloader, so it will just download an executable and write it to disk and execute it. But the particular thing about this VBS script is that it will sleep for 5 minutes and not only will it sleep during those 5 minutes, but every minute it will also check the time online to make sure that it is not in a sandbox that does time acceleration. So let's do the analysis of this document here. So with HolyDump, the document, it's a DocX document and as you can see, it contains 4 OLE files with an OLE 1.0 native stream for each. So you can see this here with the name, but also with the indicator O, that's something new that I added to this version of HolyDump. And what you will also remark is that the size of all those streams are actually the same. So maybe they could be the same stream, have the same content. And that is something that we can check with option C, calculate. This will calculate the MD5 hash of the content of each stream. And as you can see here in the different OLE files, the hashes are the same. So those are actually the same embedded files. So we just need to look at the first one. So let's select A2 and get the information for this OLE 1.0 embedded stream. And so here you have the names of the embedded stream. You can see here document number dot dot x and then a lot of spaces and dot then dot VBS. So it's actually a dot VBS file. 1,442 bytes and it starts with djjk sub d1q. So we can dump this. So let's dump this to the screen. And here you have the VBS script. And this here is actually an encoded string. So hexadecimal and here the key to decode it. It's actually an XOR encoded. So we can use our plugin. So let's pipe this again to OLE dump. And we are going to use the HTTP heuristics plugin. But first we are going to tell OLE dump that we are providing it with the source code of VBA. So raw data, option R and then option P with the name of the plugin like this. And here you can see that it is able to extract the three URLs. These are the two URLs with the payload. And this here is the URL that is used to check the time.