 Hello, DDS Devens here, Senior Handler at the InternetStorm Center. In my diary entry DOC and RTF malicious document, I do the analysis of office document and RTF document with my tools. I'm going to show this now in this video. So first, I identify first file, so the DOC file, with my file magic tool. So that's like the file command on Linux and on Apple. So this is a Microsoft Word document, so with my tool only dump, now I analyze this file and I get this warning. There is no OLE file inside this zip container, this office OpenXML file. So next step, since this is an office OpenXML file, OOXML file, it is a zip container. So we are going to see if we see anything interesting inside that zip file with my zip dump tool. So these look all normal files. Let's search for URLs. So with uppercase D, option uppercase D, I will dump all the files inside that zip container to standard out and I'm going to pipe this into my RE search tool, regular expression search and I'm going to search for URLs. And I get a long list of URLs because in the XML files, in OOXML files, you will find a lot of valid, a lot of legitimate URLs that you can see here. The last one here, this one is not one you will typically find in an office document. So this is probably our malicious URL. Now you can filter this. This is a new option of my RE search tool, filter uppercase F, office URLs. And when I do this, I filter out all the domains that all the URLs that have a domain that is typical for OOXML files. So the long list that you saw here, those all come and what remains are URLs that you will not find in MT typical OOXML files. So this has been added. And as we can see here, we have an HTTP URL to an IP address that downloads a DOG file. I downloaded that DOG file. Let's try this again to identify it. This is the DOG file that I downloaded. And now we can see that this is an RTF file. So we are going to analyze this with my RTF Dump tool. And now in this new version here of my RTF Dump tool, there's a new option to make analysis easier, to just give you an overview of all unique embedded objects inside the RTF file. And that is uppercase O. And as you can see, there is one object inside, equation. So this is probably an exploit for the equation editor. It's a small size, probably shell code. By the way, if you don't like MD5, there's an environment variable that you can set that you have another type of hash like a psi1, psi256. Now if you would have used my RTF Dump tool without any options, then you get the typical output here with a lot of items. But we are not interested in this here because we don't have to, well, at first site, we don't have to do a detailed analysis because we immediately find the object, this object here. So I select this object, here it is. I see no recognizable strings. So I'm not really sure if it is shell code or either it is obfuscated shell code. So now I'm going to analyze this with the shell code emulator. So I dump this to shell code, and now with the shell code emulator, scdbg, file shell code, okay, already after three instructions, it fails. So the first byte is not the entry point. We have to search for the entry point of the shell code. And that's something you can do with find sc. And while we are here, I'm also going to request a report. Okay, so shell code emulator found four different entry points numbered from zero to three. All four make a call to get proc address. So this really looks like valid shell code. So let's select the first one, zero. And then indeed here, we see a get proc address and expand environment string w. But this fails because wide string unicode API functions are not yet implemented in the shell code emulator. Now also look at the analysis report, says sample the code itself in memory, use dash d to dump. That's what we are going to do. Like this, repeat the command zero. And now a file has been created unpack here. And let's look at the strings that we have in shell code unpack, just like this. And here we have our URL. You see here a part name. So this will be saved in the public user folder vbc.exe downloaded and executed.