 Hello, I'm Didier Stevens, a Senior Handler with the Internet Storm Center and in this video I'm going to do another analysis of a malicious document, malicious word document. So with Holy Dump, this is a document. It contains macros here in stream 8 and 9. So I select stream 8 and I decompress the macros, okay. And here we see a shell and here string concatenation. So that is the command. Also here with a C variable and that's about it. So all those variables here and they are probably not defined here but in the other stream 9. So let's take a look and indeed here we can see a lot of concatenation of variables and strings that look meaningless. But if we take a closer look here we can see set, set stf equals e at hd and then here another set and another set and so on. Also we see chrs, so c string chr value 99 and here another one value 109 that is also concatenated together with a lot of set commands. Let's go to the bottom, okay. And here now we can see a lot of percent percent. So when you see this, this is very likely a dosfuscation string. So the string that is interpreted by the command line, the interpreter, cmd.exe, but who uses those command variables that are concatenated to form a command. It's part of research that Daniel Bohenund did about the dosfuscation and this is probably here a dos concatenation. So what I'm going to do, I'm going to extract all the strings in this stream 9 with my tool or research. So I'm going to use the regular expression to find any string that is not empty and with delimited by double quotes. Okay, and here you can see we have a lot of them. And here if you take a closer look, you can see 100% cal. So that's actually a call to the content of this variable. And here you can see a lot of other strings. Let's scroll up and here you can see a set of that variable. So this is indeed very likely a dosfuscated string. So what I'm going to do is try to join these together and see what we end up with. Now before I do that, before I concatenate it, I want to look at the strings slightly different. I want also to see empty strings because as we saw in the dump we have also a couple of empty strings and I want the unquoted string. So I want to remove the double quotes that delimit the string like this. So that's the regular expression I forgot. And here now I have the strings that I want. And now I want to concatenate this. And then I'm going to do with my set command. It's a simple tool that works on sets. And what we are going to do here is all the variables, all the strings that are considered as a set, we are going to concatenate them, join them together and the separator is just an empty string like this. And here now you can see something that looks indeed like dosfuscated, dos command using concatenation because you see a lot of set commands here and then here a set of a variable with a long string of instantiated variables and then a call to that instantiated variable. And if you take a close look here you can see net.web and also here P colon slash slash like a HTTP. So that's probably a script here that is dosfuscated. Now I wrote a small tool to help me do this but what you actually want to do is look up all the definitions of set here you have one set ve equals i and so ve equals i and then somewhere here you will find percent ve percent and that is replaced by i. So for that I wrote a small tool instantiation and it's a generic tool. It's not specific for dosfuscation because the assignment and instantiation expressions they can be defined by a regular expression and by default there are regular expressions in here for dos commands. So I'm going to pipe this output into instantiation and then indeed as you can see here I have a PowerShell command with new web client and indeed URLs to download here URLs then I should see a download somewhere here download file and then start process to execute. Now if you take a close look here you will see that there are some problems here for example this is start pruse and not process the C is missing and also here ATH this is actually a try catch so the letter C is missing and remember that we had CHR commands in there 99 and 109 so let's take a look with python CHR 99 that's a lowercase letter C and CHR 109 that's a lowercase letter M so those are actually some of the letters we are missing here and like here you should see code.uk we don't see that so that's missing so it's probably that we have to include these and I'm going to use a simple trick for that it's following before I extract the strings I'm going to replace 99 with a string for the letter C so I will use the stream editor and I'm going to substitute space 99 space because we saw that it was surrounded by spaces in those CHR commands and I'm going to replace this with the letter C now if I do that like this I have to escape the quotes here like this and then I can pipe this to our research and then indeed here now you can see start process and catch so this is working and now I also have the letter M because here you can see tatikode.br in Brazil it's actually com not co like in UK but COM so we are missing the letter M so I can just do exactly the same command here like this but for the letter M so lowercase letter M 109 like this and here now I can see tatikom so actually it's actually tatim you see so it's important to to find that letter M because the URL here is the domain name is different so that is how you can use this tool I will set it up on my beta github repository because I don't know what I'm going to do with this tool what direction it is going to go into but that's why it will end up here in my beta github repository