 One more time I want to do a demo early dump to you I Received another malicious word document. It contains a malicious VBA micro. So let's have a look the Malicious word document is actually a fake invoice in Dutch Rechnung. I Stored it inside the password protected zip file with the password infected and only dump can read this So here you can see all the streams this stream here stream 7 contains a macro So we will have a closer look at this one Stream 14 here is the word document and then here SRPs if you find Streams with SRP VBA here In a word document or an Excel document an office document then it is an indication that the macro was Executed so that means here that the criminal who created this malicious word document has also tested his macro So let's have a look at the macro. I Select stream 7 I will decrypt Decompress the VBA macro like this here and here you can see the different automatic open functions And then this function here. So this function creates a temporary file name Then it retrieves via active document range text all the text that is inside the word document It looks for string 1 2 3 4 and then it does some processing here So let's have a look at this word document Remember that was in stream 14 Okay Yeah, and here you have the start of the content of the document So please enable macros to view this document string 1 2 3 4 and then this here You can see ampersand H and 2 hex digits and again ampersand H and 2 x digits and so on so this is actually a file that is Encoded in hexadecimal inside the text of the word document Ampersand H with followed by 2 hex digits is the way that you represent hexadecimal value in VBA So let's go back to the VBM macro So we search for 1 2 3 4 then we skip 4 bytes and then we open file a binary file and we loop Through the content of the word document We convert 4 bytes Here 4 characters To a byte so the ampersand H to hexadecimal values with C byte is Converted to a byte and then written to the file and so on so what this macro does here actually is extract the hex code From the text found in the word document and then writes it to disk and then at the end Of course it will execute the executable that was written to file now We could Here Let's go back Okay, so we can try here to decode This file this encoding to try to extract the file And you can also do this with the decoders For only them so I've written a very small decoder Here the a H Decoder I call it for ampersand H Okay, so this decoder is rather simple I Compile a regular expression ampersand H and then the hex digit and this hex digits Must appear twice So I'm searching here for this Visual basic hex digit encoding with find all I find all instances of those strings that I find inside the text and Then here with CHR and in command 16. I convert this Hex value to a byte and I join them all into a string Which I return so that is how the decoder work So let's have a look stream 14 decoder and The marty's first work document Okay, and now you can see here This is the decoded embedded file and you can see that it is an executable starts with mz This program cannot be run in those mode and then here the start of the PE header So as a final as a final check we will run this through PE check and I want to dump the file. Sorry like this. Okay So and this is the analysis by PE check for this PE file Normal entropy so we know it is not packed. This is the MD5 and Here at the end PE ID tells us that it's actually a dot net executable