 Hello, Didier Stevenseer, Senior Handler at the Internet Storm Center. I received a malicious word document that contains a large string, I wrote a diary entry about it. And here I'm going to analyze this with Cybershift. So I open the file, this is the sample, in Cybershift. Let's check the file type. And indeed it is a Microsoft Office document, an OLE file like I like to call them. So what I'm going to show here is that you can use the strings command to analyze this malicious document. Sometimes you can analyze malware just by using the strings command. It doesn't happen that often. I mean most samples cannot be analyzed in this way, but still there are regularly samples that you can analyze like this. And that makes it easy because everybody can use the strings command. So let's take the strings here. I'm going to search for all printable characters and display the total number of strings. So 1,482 strings, if we take a minimum length of 4, let's look at 100, then we have 4 strings. 1,002 strings, 10,001 string. So there is in this Office Word document a string, we see it here, that is longer than 10,000 characters. So that's very unusual. Now you see here that B2 reappears all the way here, B2, B2, with square brackets. Open square bracket, B2, close square bracket. And we have equal, equal at the end. So this is probably obfuscated base 64. The way this obfuscated is probably by inserting many instances of this here. Open square bracket, B2, close square bracket. So let's remove this by doing a search and replace. So I'm going to take a simple string. So open square bracket and you can already see that this is removed from the output. B2 and here open square bracket. And now we see something here with also SS and something that might be username and word. So it could be that our repeating string also includes an S. So let's try that. And indeed, so this is actually the repeating string. Close square bracket B2 open square bracket S. Because now we can see CMD, CMD, PowerShell and code and here we have our base 64. So now we are going to decode this base 64. But if you do that with CyberChef here from base 64 like this, then this fails because the strings in the beginning and the characters in the beginning are not base 64. So we need to remove this here. You can do that for example with the drop bytes. Let's remove 100 bytes and see what we have. Okay, it's almost gone. So let's make this a bit longer until we only have the base 64. Yeah, here we are. So we need to remove 140 characters at the beginning. And then we have our base 64 that we can then decode. So and this looks like Unicode and a PowerShell script. So let's decode this to ASCII and decode text. And so UTF 16, little engine, yes. So that is our PowerShell script. And you can see here fragments of strings that resemble URLs that looks like parts of URLs. What is going on here is actually that all these strings here are concatenated to make up a URL. And we can also decode this by removing all those operators and other characters that are being used to do the concatenation. So again, we are going to replace strings by nothing, so removing strings. And this time I leave it as a regular expression because I'm going to give a list of characters that should be removed, like the plus character. Okay, as you can see here now, here you can see, for example, a word now family life. So single quote, that's also a character we want to get rid of. And now we already see more like here W, P and min. So close parenthesis, open parenthesis, these are other characters. We also want to get rid of like this. Okay, and now we end up with a URL like this one here. Now notice that the protocol here is not HTTP or HTTPS. It is again this string, this obfuscating string that we saw before. Close square brackets B2, open square bracket S. And if you look down a bit further here, you have the last URL and then you have a replace method. And you see here our string, our obfuscating string, and here the string that will be used to replace it. So what we want now is again do a replace. That didn't work, so let's try again. Okay, so this time a simple string, close square brackets B2, open square brackets S and replace this with HTTP. And now we can see the URLs here. And let's see if we can extract these URLs, extract URLs. Okay, and now here we have one long line of URLs. Why don't we see individual URLs one per line? Because of this here, the add character. The add character has special meaning for URL, it's when you use credentials. So the way this is interpreted here, this is the URL with the protocol, hostname, part. And then add and here this is supposed to be the credentials. So username and password. That's how it works. But here in this malicious PowerShell script, the add character is actually used as a string separator to separate URLs. So what I'm going to do is again replace or let's do a split. Let's do something else, do a split. So a split here after the find and replace here. So let's look for add, replace this with a new line and then extract our URLs. And here we have our URLs. You can also define them. If you want to publish them somewhere, then just use this step here define and then you have your defined URLs. So here I showed you how you can analyze a Word document that contains a large string. Not all malicious Word documents contain that, but here it does. And in that case, you can just use Cyberchef to do the analysis to extract the URLs.