 Today I received yet another malicious document. It was a spreadsheet. It's here So let's analyze it with my olidump tool Now my olidump tool is a command line tool. It's a Python program But we are not going to use the command line directly here. We are going to use one of my other programs sent to CLI and this Program has a graphical interface a GUI which allows you to execute command line programs So let's run this Here it is so it will execute on this file in This directory and now let's select the command from the drop-down list here Olidump this is the command that I want to run Okay, and here we have the streams Now if you notice a stream with the name Ola01 native Then you know that you have a Office document with an embedded OLA object. So this is stream 5 Let's select stream 5 Here is the ASCII dump Now to have more information about the embedded object You can use option I like this and Then here you have The name of the file that was embedded you sent see it's a VBS file a VBS script file now Remark, it's VBS VBS is not actually the same as VBA And also it looks like a URL, but it is not it is actually a file name and Then you have two other folders The folder where the file was actually stored and then the temporary folder where the file is stored when executed and Then the size of the file to see the content so to View the file we can extract it with option E like this Okay, and here you can see that it is an obfuscated VBS script Now we will de-obfuscate this and for that I'm going to use another graphical tool It's my clipboard manager. So let's copy this to the clipboard and Start my clipboard manager, which is here So and let's get this from the clipboard. Okay, so this is the actual script You can see here all kinds of strings with the mid command the mid Function sorry mid function allows you to select a set of characters from a string and here we are selecting From the ninth position so the nine character and we are only selecting one character So we are going to try to de-obfuscate this here in my tool. So first we are going to split this script here With the ampersand So that we have one mid Function per line. So let's do a split So ampersand character, that's where we are going to split. Okay, and here now we have the mid commands, let's delete this and You can see all those mid commands work on the string of the same length and always Select the ninth character. So that's what we are going to do here with my clipboard transformer Okay, and in the end we have a shell object that runs the string that Is executed here. So let's delete this too Now we are interested in these strings So let's select this string and then go to the menu and say keep column keep column Will delete All the characters that are not part of the column that I selected. So let's do this and We have the strings here now, let's look at that ninth character. So we are at character one two three four five six seven eight nine, okay, so the first Character, the ninth character here actually, but the first in our list is a C and then we have M and then a D So you can see CMD Okay, so again, we are going to select and keep this column like this and Now you can always already start to read the command the obfuscated command its CMD slash K power shell Now let's join this all those lines here with the join line function That's a function here. Okay, and here we have our The obfuscated string. So it's a CMD that launches power shell and this power shell downloads a file from this URL Saves it in the temporary folder as a cap file Then expands that cap file to an executable file and then it runs the executable file Now if you are interested in my clipboard transformer, I released a beta just to look into the comments for the download URL