 There's a new type of malicious documents going around this time. It's an XML file You might have received one like I did here. It's a remittance advice REMNNUMBER.XML So the attached file here is an XML file Now you might think that when you double-click this XML file that it would open there with Internet Explorer, but That will not be the case if you have a Microsoft Office installed. If you have a Microsoft Office installed then you have this XML directive here that says it's an MSO application and that it's Word document Okay, so This XML file is opened by Microsoft Word Now let's go down Okay, and here we have some data and this is base 64 encoded So let's select this almost there Okay, so this is the base 64, which I'm going to copy and now I Can paste this as base 64 Okay, and I get the binary document that starts with the header active MIME So let's take a look at the hex representation. Okay Here From byte 50 on we are actually dealing with the ZLIP compressed stream So let's select this Okay Copy this as a hex text and then I have a special tool here This is the compressed hex and I I can inflate this like this So I'm this decompressing the stream like that. Okay, and here now you can already see dog file so this is actually a An oily file like this So and then of course we can analyze this with only dump Now I have updated or they dump that it can Analyze those XML files, so let's try this and here is the XML file and here you can see the In the data.mso file that was found inside All the streams with macros and here one With the URL that has been decoded by the trytics decoder