 Hello, DDS Stevens here, senior editor at the InternetStorm Center. This video is for a dire entry here about the analysis of a malicious file, HTML file, that reader Eric submitted, and it contains a cubled DLL, let me show you. So when Eric submitted this, he told us inside this HTML file, there are some strange base 64 pictures. So let's have a look. And indeed here we have a large one. So let me use option N for a minimum length of 10 for the items. And indeed here we have two pictures, a GIF file and a SVG file. So let me select the first one. It has a very high entropy, 7.99, almost 8 and a maximum value. So this could indeed be a picture. And it doesn't contain long strings, you see. This is something new that I added to this version of base 64 dump, version 0024. So that picture at a very superficial inspection looks okay. Let's take a look at the other one. Entropy 6, only printable bytes and white space. And then here a very long sequence, almost 600,000 bytes of base 64 digits. So that's another layer then of base 64 that we have to decode. So I'm just doing a binary dump and piping this again into another instance of base 64 dump. Okay, here we see one, a very large one, PK. So fill cuts, zip file and 10, okay, only one. So select one and dump this into my zip dump tool to analyze the zip file. And we get an error, bad password for file contract copy dot ISO. Okay, so it contains an ISO file. The password that must be in the HTML. So let's get up for password. Indeed, here you have document password. So let's see what comes after that. Let's look at the 10 lines that follow that. And here we have ABC333. That's probably the password. Let's try that. Password ABC333. And indeed, that's a password. So I select this ISO file, do a binary dump and pipe this into ISO dump, a tool to analyze ISO files. And here it only finds a readme.txt file. And if I select that file, it's indeed a text file, a standard text file. So ISO dump uses a library, a patlap, to read ISO files. But it's not capable of reading secondary volume descriptors. Because it's very unlikely that this malicious document, when you see this sequence, it's clear that this is malicious and it's very unlikely that just contains a text file. What I expect here inside the ISO file is a DLL. So what I'm going to do is run my PE check tool that analyzes PE files, but I'm going to let it carve the input searching for PE files. And here we have one 32-bit DLL. Let me copy the hash here and look that up on VirusTotal. And indeed, it exists on VirusTotal. And here it looks like this is a cubot. So I don't really have to do any further analysis on that one. Now let's come back here. So another tool that you can use to analyze ISO files is 7zip. Now I will show you the command that I would like to work with 7zip, but unfortunately it doesn't. And that is to say standard input that works and do a listing. That works for several different types of archive like 7zip-zip, but it doesn't work for ISO. Listing archive that's not implemented. So what I have to do is write this as a file to disk and then can analyze it with 7zip. So let's say ISO, not Avir, and then I can run 7zip listing of the ISO file. And as you can see here, a link file, JavaScript, CMD file, JPEG file, sticker, so that and that is actually the DLL. Now let me try to show you that secondary volume descriptor of the ISO file. I will show you that with binary editor 010, go. So I'm going first of all to a pure exadismal dump of the ISO file, this here. I paste this into the clipboard and then I can create a new file here, paste from exadismal. And then I have the ISO file here inside the editor without actually having to create a file. And then I can go to templates, drives and say this is an ISO file, and then the template will pass the binary data and here you have the structures inside the ISO file. Here you can see the file names, the folder and the file names that we saw. And here this is the primary volume descriptor, but here we have a secondary volume descriptor and that is the one that actually contains these files, while this one here contains the README and the TXT file. So here you have the first one, here is the second one and then if I scroll on here, as you can see here is the content of that README file that is in the first descriptor. And then after that here we have the file names that appear in the second descriptor.