 You know, I received another malicious document, office document, and I'm going to analyze it with only dump. Okay, and as expected here we have micros, but also an embedded object. It's harder large here in stream 16. So this could be an embedded Xe, an executable, making this a dropper. So let's take a look. You select stream 16 and you take option i to get information about the embedded object. Okay, so this is the filename, the folders, the size, md5 hash with the embedded file, and then the magic and the header. Those are the four first bytes and the 16 first bytes of the file in hexadecimal and in ASCII representation. So this doesn't look like an Xe because it doesn't start with mz. But maybe it is an encoded Xe. The name here contains Xe, MacDoc Xe. So maybe it is an Xe, but it has been encoded. So let's take a closer look. We will extract it and look at the beginning. Okay, so this is not an executable, but notice here that we have some strings that are repeating like this one here and this repeating. So maybe this is a Pe file that has been Xor encoded because a Pe file in the beginning contains a lot of null bytes. And when you Xor encode a stream of null bytes, the key will appear in the encoded string, encoded file. So if you know the plaintext, you can recover the key and that is what my tool Xor known plaintext attack does. It will perform a known plaintext attack on a file to see if it is Xor encoded. So you have to pass it a known plaintext and then the file and then it will work on it to try to recover the keys. Now here I have predefined one plaintext and that is the DOS plaintext. This program cannot be run in DOS mode. This is the string that you find at the beginning of Pe files of executables. So let's try this out here. So we pass this to Xor KPA for DOS. And here is a name. So instead of literally passing the string that we want to search, we pass it a name, the predefined name. Okay, so we have found one key, this key here, and this is the key stream in which we found it. And it's very likely that it is a key because it is repeating and there are 21 characters here extra to the key. So let's try to decode this and see what we get. So to decode this we use the option D. This will decode this with the first key that was found. And indeed it is an executable Pe file because here we find MZ and here we can find this program cannot be run in DOS mode. And these are the null bytes that I talked about. This here is the decoded string that is before the MZ file. It's probably a string to recognize by the code, by the macro. So let's cut this out with my cut bytes program. So we want to cut. We want to search for MZ. And that's the beginning of the part we want to cut out and we want to cut this out until the end, like this. So now indeed we have extracted the executable, decoded and extracted the executable. We can for example pass it on now to PE check to analyze it. PE check. And it is indeed a valid executable with rather a high entropy. This is the hash and this is more information about it. It has no digital signature. PEID doesn't recognize it and it contains an overlay.