 Hello, I'm Didier Stevens and in this video I'm going to show you the analysis of a malicious word document with the VBA macros. So with OleDump, we can have a look at the document and here you can see stream seven and eight contains macros. This one harder lot and stream eight is much smaller. So let's take a look first at stream eight. So I select stream eight and I decompress this. And then here you can see a subprotein document open. So this will execute when the document is opened and when the user enables execution. And then you have an application run here with a lot of variables that are concatenated. So the command here is concatenated from different strings, probably strings variables and those are probably defined here in the other stream, stream seven. So let's take a look since this large way are going to pipe this through less and so stream seven like this here and indeed you can see a lot of variables and also several strings and if you take a close look here you have an empty string here the next string is P O W E R S H E L L and so on. So this reads as PowerShell. So the command here is probably inside strings. So we are going to extract those individual strings and we can do that with our research and say that we are searching for strings like regular expression S D R. OK, so now this is not what we want. What's happening here is that that regular expression that we use S D R that works for strings that are not empty, but there are also empty strings in here. So we need to use another one and that is string E. This also will identify empty strings like this. OK, so in here we can see numbers, a lot of numbers. So this is probably a PowerShell that has the payload encoded as numbers. And in the idea you can see PowerShell. Yeah, and then your environment, common spec and so on. Yeah, so this is clearly a PowerShell script. So we want to concatenate those strings here and also we need to get rid of the double quotes here, also this empty string here. So we use another regular expression S D R E U and the U star stands for unquoted that to remove the quotes like this. And then we are going to join this together with my sets command who operates on sets of elements. And here we are going to join all the elements, all the strings and the separator is an empty string like this. And then here you can indeed see PowerShell, common spec, string join here. All those numbers to join and then to execute. I have a tool to analyze numbers like this and it's called numbers to string. So we pipe this into numbers to string and then it will look up all the individual numbers and if we don't specify any argument, it will just convert them to their ASCII representation. So let's see what this gives. Yeah, and indeed here we have decoded here a PowerShell command and we can see here the different URLs from where an executable will be downloaded and saved and then executed here.