 Hello, I'm going to show another example of Ole Dump to analyze a malicious spreadsheet. This one here. And this one, I selected this malicious spreadsheet because it's a bit different. It allows me to show off another plugin, the BIFF plugin. The BIFF plugin is something that I designed especially to parse BIFF records and BIFF records. The file format is actually used for Excel spreadsheets. So we see that it contains a macro. If we run our HTTP heuristics plugin to try to detect URLs, you will see that no URL is detected but a couple of other strings. And if you pay close attention here to this string, you will see that this is temp windows.vbs in reverse. So let's have a look at the stream itself and extract the VBA code. So in stream 10, we have our VBA code that we want to decompress. And this is here the code. So here you have a couple of CHR functions. But what interests us now is this here, worksheet, Excel, range d20. So that is cell d20 and the value. So this macro will extract text from cell d20. And it will write this extracted text to disk, save the file, and then it will execute the file that was saved to disk. So that is our windows.vbs file. So we are now, of course, interested to know what is the text found in cell d20. We are not going to use Excel to look at that. We are going to use OleDump and the BIFF plugin to extract that information. So OleDump, the plugin that I'm going to use now is BIFF. And I'll run this on my spreadsheet. And now, if there is a workbook found in the OleFile, the BIFF plugin will try to analyze the workbook. And here you can see that it found different BIFF records. Each line is a record. This is the identifier of the type of the record. It contains 16 bytes of data. And this is the beginning of file type of BIFF record. You have several other types. For example, here you have a record for password and so on. Now the BIFF plugin also takes options. And there is an option to dump the strings that it finds in the BIFF records. So let's use the plugin options option here to pass option minus S. So this is the option to dump the strings that it finds in the BIFF records. Like this. And here you can find VBS code. Another set of CHR functions. This is most likely the URL, as you can see here, StringFile URL. And here is another one, StringHDLocation. And those strings are found in the SSD record, so a shared string table. It contains ASCII strings. And this is actually the content of our cell D20. So what we are going to do now is convert those CHR functions into a string. And it will be a URL. And the way we are going to do that is by converting this line. So first we are going to grab for this line. And then we are going to convert this line from VBS into Python. And then execute it. So I need a regular expression. This is the regular expression that I need. I need this regular expression to select the lines with CHR functions that are concatenated together. Let's do a PCR regrab with this regular expression. And here we have the two lines with the CHR function. So the StringFile URL and the StringHDLocation. I am going to use option minus 0 to select only the much string. So not the full line, but only the much string. So and here we have now two lines with only CHR functions that are concatenated with the M% operator. What I am going to do now is that first of all I will add a print command like this. So each line now is preceded by a print command. And then I am going to transform this further into Python. So the CHR function also exists in Python, but it is with the lowercase c. So let's translate this, uppercase c to lowercase c, like this. And the string concatenation operator in Python is not M% but plus. So let's replace M% with plus, like this. And so now we have two Python statements, which we can execute by piping this into Python. Okay, so now we have our two strings. This is our URL. And this is a string executor, so that is probably used to set the extension of the file.