 So, this week I received another PDF document that contains a malicious Word document with macros. So, let's take a look at the analysis with PDF ID, looking at the sample, you see that it contains JavaScript, an open action and also an embedded file. So, with PDF parser, I'm going to search for that open action. So, here you have the open action and the action is JavaScript, which is found in Object 5. So, I'm selecting Object 5. It's a stream object. So, let's apply a filter and here we see the content. Let's use in raw mode the output like this. Okay, so here we have a function definition and then we have this export data object with the name of a file and an action launch code is 2. So, this will write this embedded docm file to a temporary file and then launch it with the corresponding application. So, let's search for the embedded file. So, it's here in Object 3. This with uppercase h, I can see what's inside the stream. So, this is the length and the md5 hash of the unfiltered stream and also the header. And this is the length and the md5 and the header of the filtered stream. You can see that this starts with pk. So, indeed it's probably a docm file and a new office file format. So, the zip file with xml files inside it and also containing a macros. So, we know that macros in a new file format for office are also contained in OLA files stored in the zip container. So, let's dump this. So, we apply the filter. We dump this to standard out and then I pipe this through OLA dump. And indeed it contains macros, several modules. Let's select and extract all the macros streams like this. Okay. And now, let's pipe this through our research and search for strings. Extract the strings. Oh, here we have the strings. Okay. And here we can see urls.bis.net.code.uk. So, let me grab for bis like this. And you can see that the separator between the urls is uppercase letter v. So, let's do a set. So, we are going to replace v with a space character like this. And this gives our the three urls.