 I received another malicious document to analyze, so the A here, wordvba.projectbin, so it's one of the newer file formats, zip file that contains then the macros in the vba.project.bin file. So we can see the macros here, A3 and A4, so let's start with the first one, we select it like this. Okay, this here looks interesting, when you have long strings with numbers or special characters like this here, okay, so here we have numbers with a split and this is the value here, there's a separator and then here, yeah, here we can see things like Icrosoft, so this is probably the definition for a create object for Microsoft object. So let's first look at this here, let's select this and copy and let's grab for this, okay, so we have the split itself and here we have another line where we have the array that is indexed by this string and this is converted to an integer, so this contains numbers converted to integer and assigned to this variable dost. So let's grab for dost, so we have this line and then we have another line here where the value of dost is divided by 61 and then converted to a character. So this looks like the algorithm to hide something, probably a URL, so we will analyze this like this, so here we have the number, we pipe it into set to substitute like this, we substitute this for a space, okay and here we have the different numbers, so you can see here those two numbers are already the same, so maybe this is HTTP colon slash slash, so this could be slash slash, same numbers. So we are going to use my tool, numbers to string, so numbers to string takes a Python expression, a Python function that will take an array of numbers as input and it has to return another array of numbers and that array of numbers will then be converted to characters and concatenated to make a string. I do that with a lambda function, that's my array and now I write a list comprehension number for number in array like this, okay and this produces no output and because the number here are big numbers, we actually have to divide them by 61, let's try this and then indeed here we have a URL. I downloaded the file from this URL, let's check if it is unexecutable with PE check, okay and we get an error, it's maybe XOR encoded, so let's do a known plain text attack on it for the dot string and let's say we want at least three extra characters, so it takes a bit of time because it's a longer file, okay and we find the key and this is the key stream and we have six extra characters, so this could be indeed a valid key, so let's decode this and pipe it into PE check, again it's going to take a bit of time and indeed we have recovered the executable.