 Hello, I'm Didier Stevens, senior handler with the Internet Storm Center. After Brad posted his diary entry about the Emotet malware, we had an anonymous reader who submitted another sample with the malicious document and I quickly started to analyze it and saw that it uses dosfuscation. So with my typical method to analyze dosfuscation malicious documents that I've also written diary entries about, I started the analysis but soon encountered a problem that I'm going to show you how to solve here. So with OLE dump, I can look at the submitted file and we see macros in stream 14 and 15. So I start with stream 14 and decompress the macros like this. And here we can see strings that doesn't tell us much. So let's look at 15. Okay, yeah, and here immediately with the carrots here, you can see that we are dealing with some commands that are probably dosfuscated. Here you can see the MD from CMD-V and CHR and so on. Yeah, and then here you can see more. Okay, so I can indeed analyze this by extracting the strings with my RE search tool. So I'm extracting the strings also, the empty strings, the instance for empty strings, and I don't want to quote so unquoted like this. And here I have all those strings and now I can concatenate them together with my sets command. So join them, no separator like this. And here you can see all the carrots and I can get rid of them with the SED command, the stream editor. So I'm going to substitute carrot, but it's a special character in regular expressions so I have to escape it. I'm going to substitute it with nothing and I'm going to do this globally like this. Now you probably don't recognize anything, but here for example you can see HTTP in reverse. So this string here actually has to be reversed. So I'm going to do this with my Python per line tool. This is a Python program that accepts text files and input lines and for every line it will execute a Python expression that you pass it as argument. So the line itself is just in the line variable and I want to reverse that line and you can do that in Python by taking a slice from beginning and from the end and with step minus one and that's how you reverse a string in Python. And then indeed here you can see HTTP and so on. Now it's not that readable because you see there are still things in between here. But if we take a closer look then you will see that there are actually strings inserted here in between. And that's something that I was not expecting. So for example here you can see digital then a string and here the L web experts. So this is digital web experts but this string here is in between. So let's go back to the macro code itself here. And here you can see those strings here and these are strings that contain dosfuscated commands but here you have other strings and if you take a close look you will see it's the mid-b command, the right command here, the left command but with indexes and lengths that are much longer than the string. So this command here on this small string but with this long position and length will actually just yield an empty string. So all of those commands here yield empty strings. So we can exclude them. One way to exclude them is to to grep, to eliminate them by doing a grep for mid, mid-b, right, left and so on. But there's another trick and that's how we can actually use the dosfuscation that's being used here. The dosfuscation comes with those carrots. So what I can actually do is grep for strings that contains those carrots because those are dosfuscated while these string here don't contain them. So they are not dosfuscated. So let's do this. I'm going back to my command here where I extract the strings and before I extract those strings I'm going to grep like this for a carrot but again it's a special symbol in regular expression so I have to escape it like this and then indeed you can see the PowerShell command. Here is a PowerShell new web object network client. So it's a downloader with a couple of URLs. Then it will try, write this to disk and then of course try to execute it.