 For quite some time my Olio Dump tool has been supporting Jara, so with Jara here you can specify Jara rules, you can also have decoders and you can print the Jara strings. And that is not something special for my Olio Dump tool. Several of my other Dump tools also support Jara rules. And I made some small changes, so let's take a look. I have here a simple Jara rule that will just look for the string atrip. And then I run this with Olio Dump on that sample and get this as output. So all the streams here, all the individual streams are scanned by the Jara engine. And it found two hits here in the macro streams and for your information it is not the decompressed macro streams, it is the raw compressed macro streams that are passed to the Jara engine. So inside those two streams the test rule is triggered, so the atrip keyword was found. Now what is new is this here. What I do now also is I will decompress all VBA source code, so in this case from those two streams I will decompress all VBA source code concatenated together and then also run Jara rules on those source code lines that have all been concatenated together. Now this means that you have to write specific rules, Jara rules for the source code, but if you specify them with Jara here in Olio Dump they will not only run on the source code but they will run on all the streams and sometimes that might give false positives and that's not something we want. So I started to use external variables, Jara supports external variables and external variables are variables that are assigned to value outside of the Jara rule, so for example in the Jara engine. And here Olio Dump will assign two external variables, one is called VBA in other case and that is a Boolean and VBA is true for this VBA source code while it is false for all the other streams. And another variable, external variable that is declared is the one that contains the name of the stream, so that's the stream name. So if we make a small change to our test Jara here and we say the external variable has to be true and we need to find the string, so VBA uppercase the external variable that is true when we are scanning VBA source code and now when I run this again you see it doesn't hit on those streams here but it hits on the decoded VBA source code. Now I've made some more interesting Jara rules for VBA, a Jara rule that will detect how to open or document open, another one create object and get object, one for declare and one for the run method. So if we run this on our sample, okay so we get three hits how to run object and run method. So we know that there is in the VBA code here a call to execute something automatically that objects are used and that the run method is called. Now to have more specifics you can use the Jara strings options to see what strings were matched like this and then we see that it was a document open that once matched a create object and a dot run.