 Hello, Didier Steven's handler at the Internet Storm Center. At the Internet Storm Center we just received a malicious documenter spreadsheet using Excel for macros with the kind of malicious document that is going around now the Z-loader Maldoc. So I'm going to show you how you can quickly analyze this with the XLMD OpFuSkator tool. So first of all with Oliadump You look at the file and you see there are no VBA macros and that's because when you have Excel for macros They are inside a warbook So to figure those out to find these You have to run my plug-in BIFF with plug-in options X for Excel for macros XLM Like this. Okay, and we get this output here. And so this is clearly a malicious document here with all those concatenations of cars functions and then formulas Here there's a lot of them and to the OpFuSkator there's a new tool XLMD OpFuSkator File case here run it like this And there you have the output. So it was able to de-upfiscate all those formulas with car concatenations and come up with these commands Here you see calls to shell execute. So what we're interested in of course is IOCs like URLs and here we have a couple of URLs So it's as simple as this with this XLMD OpFuSkator And I want just to show you something else with my OliDump plug-in tool So let's go back Now here you can also have CSV or JSON output so if you run this here with XLM option for Excel for macros you see all the different cell formulas and Here this is the past formula which is in in postfix notation But of course you're more used. Well, we we are more used to infix notation and that's what you can get now with CSV output for example like this See here now you see those values set value run and here formula with car and all kinds of commands If you want only the CSV output and nothing else you use option quiet Q like this and Then you get this output And I've also been working on an ad hoc script To try to de-upfiscate this here Like this and then you get partial output. So it's not as good as XLM The obfuscator because XLM the obfuscator is a real emulator here I'm trying to decode with some brute force techniques