 Hello, Didier Stevens here, Senior Handler at the Internet Stone Center. So last week I wrote about a malicious document that somebody ordered me to and that turned out to be cleaned by antivirus. In this video I'm going to show you the different steps that I describe in this diary entry. But what I'm going to do here in the video will be slightly different because I made some changes to Olidump to help us with this. And also I remember that I have a really old 010 editor template that I started and that can also help us. So let's run Olidump on that sample and then you can see here two micro streams. So it's an OOXML file, PowerPoint file and this here is the OLE file inside the zip container that contains micro streams and here 5 and 6 micro streams. So first looking at 6 because that's an uppercase M and so that tells us that there are actual statements in there and all the statements that we see here, they are actually functions and I don't see any auto execution here, like auto open or something like that. So let's see in stream 5, this should be empty because of lowercase M and indeed you just have attributes. So I don't see anything here clearly that indicates how these micros are executed. So maybe this stream here, stream 5 has been stomped and that something has been made to it. So I'm actually going to select the complete stream and see what we actually have. So here we have the compressed source code and here should be the compiled code but there are lots of zeros and then here that is unusual. You see a text deleted by Kaspersky lab AV. Now let me just do a dump like this so that all zero lines are put together. So indeed there's very little here in the stream. There's a text here deleted by Kaspersky lab AV and then just the attribute. So I've seen this before with another antivirus that cleaned a malicious document and what they actually did here was to truncate the stream. So let's see if we can undo that and recover the actual file. Now the version of Ole Dump that I'm using here is a new version 0064 and it comes with a new option, option U unused data, include unused data after the end of the stream. So when you run Ole Dump here you have the length of the stream. So the number of bytes in each stream. And with option U we actually read past the end of the stream and see if we can find some more data. And here for example for stream 5, 20 more bytes were found. And also see now that the indicator is an uppercase M. So apparently there is something to be seen here. That is a statement. So I'm selecting this and decompressing the stream and now I get something like this. So this is not valid, but you see that it looks like a function auto open. So let's take a look at binary data to indeed and there is a bit more here. Now there could be still more in sectors that follow this because the Ole file format the compound file binary file format is actually a file system inside a single file and there are sectors for the different streams. Now to find out if there are some sectors that have been free to removed, we can use a tool developed by Philippe Langadeck, Decalage2 on Twitter. And that is Olimap. Now if you run Olimap here on this file, this will fail because this is an OOXML file. And Olimap is made for OLE files. So I actually have to extract the OLE file from the OOXML file. So this was the file here. Notice also that the timestamp here has changed. So that's a normal timestamp for office documents created by Microsoft Office. It should always be this. And if you see something like that, it means that has been tampered with has been changed and that is probably the date when this was cleaned by the antivirus. So it's in stream 30. I select stream 30. I do a binary dump and I write this to disk and I'm going to use the name here with extension.vir. And now I can run again Olimap on this here. Okay, so these are the headers. That is fine. And now we are going to look at the FAT and the mini FAT to see how the sectors are used. So all the sectors are used here as you can see in the FAT. And now let's look at the mini sectors in the mini FAT. And here we have some free sectors. So you should not find this normally in an OLE file produced by Microsoft Office. So this is most likely has been cleaned by the antivirus. So you have next sector 44 here. And this is the end of the chain, so the end of the stream now. But we are going to extend this so that our end of chain is now here. Okay, so for that I'm going to use a binary editor. So and we have an entry here for sector 44, mini sector 44, and then followed by an end of chain indicator. Now these values here are 32-bit values, little Indian. So I should search here for 44, 0, 0, 0, 0, 0, and then FE, FF, FF, FF. And we have only one hit. So here we have the mini FAT table that we can modify. So pointing to sector 44 and sector 44 is the end of chain. So what I'm going to do now here is assume that it is sequential because it's usually it normally is in office documents. So I'm going to put here in sector 45. So it's little Indian, 46, 47, 48, 49, and here the last one end of chain, so FE like this. And let's run this again, mini FAT here. And indeed now the stream has been extended with five more mini sectors. So if I run only dump on the change that you just made, it's still 1196, because there are also a counter. There's not only the sectors, but there's also a counter for the size of the stream. But that's something that with option U, we can try to read past the stream. And now here indeed we have way more bytes, 340 extra bytes. So let's select this and do a dump. And then indeed here we have things that looks like to be compressed shellcode, a message box error, and things like that. If we try to decompress this, we still get errors. What is happening here is the following. So let me select this. So this is the beginning of the compressed source code and we're interested in this one. So I'm going to search for this in the binary editor. So I'm taking this hexadecimal sequence, searching for that hexadecimal sequence here. And again, you're lucky only one hit. So here we are in the binary editor with the compressed VBA code. Compressed VBA code is stored inside OLE files as chunks of compressed data. And it starts with a magic sequence, which is just byte value one. So you have zero one here. That is the start of the compressed data. And then you have a sequence of compressed chunks. Compressed chunks starts with a header of just two bytes. And that is actually the size and then followed by the actual compressed data. That size here, header, actually consists of a little Indian 16-bit integer where the most, the four most significant bits are actually flags. So the B here, the B, that is actually a flag. And the zero to zero, that is the length of the data that follows minus three. So to have the actual length, you have to add three. So 20, that's just about this size. And then I add three. So that's way too much. And what we have here is this, what we actually see when we don't use option U. So here, that's where it stops, zero D, zero OE. But as you can see, there is way more here. And so we need to change this size field so that this is also included. I'm going to select this. So that what I selected here in total is 346 bytes or exodysmal 15A. I need to subtract three from that. So 15A minus three is 157. And then I need to enter this here. I have to leave the flag B. It's little Indian. So 157, like this. And now I have changed the size of the chunk of compressed code so that it includes all the compressed code. So now when we try to decompress this, we should have the here. And here, indeed, now we have properly decompressed VBA code. We can see the function auto open. So this is what makes the execution automatic. And here you have the different commands and the calls to the different functions in the other stream to create the URL. And then at the end appears to be a message box. Now, just one last thing. If you don't use option U, we'll still not see that because that header with the size of the stream is still truncated. So I mean the value in the header that indicates the size of the stream is still truncated. That is something that we can also fix. And in the blog post, I fixed that by searching for a value that a byte value that resembles that size, that is equal to that size. Sorry, and then modified with the editor. Here I'm going to do something slightly different. I remembered that a long time ago, I started to develop a 010 editor template for OLE files, a compound file binary format. As you can see, it's in 2013 that I started and since 2014 I have no longer touched it. It is still not complete. It is not working perfectly, but it is usable here for what we need. So I'm going to put this in my beta repository so that you can use this if you want to. So I'm going to apply the template here to this OLE file. Template run. The OLE template and as you can see, we get an error. It is still not complete. So we can ignore that error. But here, if you look into the template results, you can see that it was able to pass the several structures. Like the dir entry structure for Ishaar, the stream that has been truncated. So I can open this up and then here you have the field for the stream size, 1196. That is what we need to increase. So let's see by how much we need to increase this. Let me run again OLE dump. So stream 5, so that's where it ends. Let's copy this and search this here. So it ends here and what do we want to add is all of this until here again the 0D0A and that is 313 bytes. So I need to add 330 bytes to 1196 plus 313 is 1509. 1509 save this. So I entered it here in decimal. And then here you see the byte representation hexadecimal that has been modified. And now if I just run OLE dump without any special options here on the file I have the two macros, the size of 1509. That's what we said. What we wanted, I can select stream 5, do the decompression and here I have the data. And of course in stream 6 I also have the data well the actual the code. So this is how we were able here to recover the VBA code that has been removed by the antivirus. So it was not actually removed but the stream was truncated. So some sectors were marked as free, the size of the stream was truncated and the size of the compressed chunk was also truncated. But by restoring everything as it should we were able to recover the original document and extract the VBA code.