 I was given a new Muldoch sample, a VBA sample, by someone who had trouble de-obfuscating the strings. So let's take a look. We totally dump. This is the sample. Indeed it contains a macro code. So let's select all this macro code and have a look. So select all and decompress like this. Here is already a long string that looks obfuscated. Here is another one and yet another one here. And here we see the like operator. Now that is a strong indication that the obfuscation is actually done as follows. So the strings contain a lot of characters who don't actually make up the command. So the strings actually contain commands to be executed by the malware. So those strings contains a lot of characters that don't actually make up the command and which have to be removed. And that is done here with a method like this with a like operator. And these are actually the characters that have to be removed. So let's take a look at all the strings in this code. First let us go back here. If you look at this now a bit closer you can see cmd.exe. So that's cmd.exe that is launched with slash c a space and then p o w e r s h e l l. So power shell. So that's the way the obfuscation works. The letters like u and v and things like that have to be removed. Now we can do that with a couple of my tools. First our research and regular expression search. Now you can use it to easily search for strings. And you do that by this is the help of our research. And I just updated it so you could use it to search for your own regular expressions or built in regular expressions in library. That was email ipv4 and url. And now I also added str string. A simple string definition for strings with double quotes. Let me clear this first like this. So with our research we search for strings like that. And now we have all the strings. And from our quick analysis we know that the obfuscated strings all contain an uppercase q. So let's filter out those strings by gripping on it. So grab q like this. And this gives us all the obfuscated strings and also here the set of characters that we need to remove from those strings to have the clear text. And you can do that with my new tool sets.pipe. It's a tool I just released and I also made a special video for it explaining how it works. So we are going to use this here. We pipe this into sets. We work at the byte level. And we are going to subtract all those characters. So we put them in a here document. A here document starts with a hash here in my tools. But on my Mac here I have to prefix this. It's a reserve character like that. And now I can take all those letters, copy paste, and I'm going to remove all those letters here from all those strings. Which then indeed gives me a clear text. I can see cmd.exe PowerShell download file with the URL here. And it is written in the temp folder with .exe extension. And then it is not just executed. What is done then is add an entry to the registry in the classes for the msc file. And an msc file is a Microsoft console. So there is an entry added to associate that executable with msc files. And now if you launch event viewer, the malware will actually be launched. And the reason to do that is a trick that was recently documented. It's to bypass UAC user access control. So with this set of instructions, this here will run with a high integrity level. And then next we have a ping to the local host, 15 pings. So that's to wait about 15 seconds. And after that we execute the program again. And this is most likely done in case that the UAC elevation doesn't work. For example, if you are not a local admin, then this would not have the desired effect. And then we launch the malware routers and they launch the executable themselves afterwards.