 Hello, I'm Didier Stevens. In this video I want to show a new feature of my HTTP heuristic plugins for Olydum. So HTTP heuristics is a plugin that can find simple string obfuscations and in the VBA code and extract the URLs. So for example I have a demo spreadsheet here it contains macros. So I select stream a3 and I do the VBA decompression and you see the VBA code and here you can see a URL and a part and then I create object that looks like an HTTP but you cannot actually see the URL itself or the part of the file names because all of that is encoded. It's hexadecimal here. It pass to a function decode and if you look at that decode function it does the hex decode and then here in a loop it does an XOR. So this is an XOR obfuscation. And my plugin HTTP heuristics can deal with some simple string obfuscation like hexadecimal base64 or even some simple XOR encoding and it will try out all kinds of obfuscations and decode strings and if it finds strings that starts with HTTP or HTTPS then it reports them. So if you run my plugin so you start Olydum you use option P for plugin and then you type the name of the plugin. Plugin HTTP heuristics and if I run that on my demo example here you see that in stream A3 it was able to deobfuscate the URL. And most of the time this is the IOC that you want at the URL but sometimes you want more IOCs like for example also the file name that the file name was not shown here because the file name does not start with HTTP of course. And I made a small change to my plugin so that you can also start looking for other kinds of strings. Now my HTTP heuristic plugin is a plugin that also takes options. Not all of my Olydum plugins take options but some do like plugin HTTP heuristics. And you pass the options to the plugin using Olydum option plugin options like this. And one option that is available in plugin HTTP heuristics is the help option. So if you run this oops sorry that's a mistake it's plugin options. If you run plugin options with help then you get the output for Olydum for that file and then you also get the help but not for Olydum but for my plugin. And my plugin already had options E extended and keywords but the new option that I added is contains CRC and I will show you how this works. Now first of all if you use option E extended then you use more than the HTTP and HTTPS keywords. And you're also going to use keywords for example for some popular create object so ActiveX objects used by malware authors like XML HTTP. So if I run this here with E then as you can see not only do I have the URLs but also here shell application and MSXML to XML HTTP. So these are also obfuscated strings that are found by plugin HTTP heuristics. You can also specify your own keywords with option K. Now that option itself takes a value so you need to escape this. So what is by double quotes so that this complete option here is passed on to the plugin otherwise it would only be the K so that's important to know. If you're using space characters inside the options for the plugins then you have to escape everything like this. So and I'm going to use keyword.exe looking for strings that start with .exe and then of course I'm finding nothing and because there is no single string that starts with .exe and then what the plugin does by default is spit out all of the strings that it was able to decode and maybe you might recognize something but except from this workbook we don't find anything relevant. Now why do I want to use .exe because I want to find that file name and that executable that is written to disk and that is now where the option contains come into play. With that option you will find the file name here service.exe and that is because when you use that option C contains then each keyword is checked against the string to see if it is contained in the string so it is not just checking if the string starts with that keyword it just checks if the keyword is anywhere inside the string and then it will select then output the string.