 Hello, today I want to show you a method to quickly analyze the malicious word documents that have been going around lately. Here is a sample, so you have my Oledemp utility, and it shows you all the streams in this OLE document. Word documents are actually OLE documents. So you see that stream7 here contains a macro that indicates with the mflag here. So we are going to select stream7 and then decode the macro. And then you can see here the VBA macro dumped to the screen. Now I saw this a lot of times now recently is that it contains an obfuscated method to download and execute an executable. And here with the chrw encodings you actually have the URL. So what I'm going to do is extract and decode this because you have to do this with VBA normally. Here I'm going to show you how you can do that without any Microsoft technology. So first of all I'm going to select that URL, that encoded URL with the pcrregrep. And I have a regular expression for that, this one here. So this selects me the line that contains this chain of chrw. But I'm not interested in the complete line, I'm only interested in the chrw expression. So I'm going to use option minus O of pcrregrep to select only the chrw. So here we have this and this is a visual basic expression. If you run this with a visual basic interpreter you will see what string this represents. We cannot do this here, we are going to do this with Python. So I'm going to transform this visual basic expression in a Python expression then have it evaluated by Python. So first of all I'm going to change this expression into a print statement. So the beginning of the line I'm going to add a print like this. So now here I have print chrw. Now chrw that is a visual basic function and in Python the corresponding function is chr all lowercase. So we are going to replace that like this. And then the ampersand here in a visual basic is actually the ampersand, the concatenation operator. So we are going to replace that with the Python string concatenation operator which is the plus. So I replace ampersand for plus like this. And now I have a valid Python expression that I can pipe into Python. And then I have the URL here of the malware, the Trojan that will be downloaded and executed.