 What I want to show now is the analysis of a malicious document, a word document, that is quite complex to decode, so here it is. Now we have a couple of forms here, who are quite large, so let's first look into them. Okay, and this here doesn't seem actually to contain real data, or anything encoded. But the name over the properties, and the other one was 22, and this seems to contain something encoded. It's very likely that is something encoded. Let's look at the VB code. So let's search for that keyword, okay, and indeed, so we have the form, the caption, that's a caption here, which is assigned to variable Eliot. Let's search for Eliot, okay, and we can see that Eliot is the argument of a function Hunter. So this is probably the coding function. We have Hunter here, the coding function. Now let's also see for gas, okay, gas is assigned to mid-August, and this here is the argument of a function differing, so let's search for differing as a function here. So let's take all this code, I copy it to the clipboard, and let's look at it in an editor. Okay, so here we have the VBA code, so we have the value of our caption. So let's do an hexadecimal dump like this, and copy this to the clipboard, and then also paste this in our editor, paste from xtext like this, and now we have our code here. So okay, so here our caption begin, so let's remove all of this. Our code goes to here, so let's remove this. Okay, so that is what we need to decode with the Hunter function. Now if we look at the Hunter function, let's do a search for Hunter. Here we have function Hunter, and you will see that it is quite complex. Now we also see that there are always empty lines between each statement. That is because of the file redirection. We can remove this. Now if we go to the hex view, here at the end of a statement here, you see that you actually have a carriage return and then carriage return new line. So let's replace this by carriage return new line. Let's search replace and replace this with 0D0A, all replace all like this, and now we have removed those empty lines. So let me search again for Hunter. So here we have the function, and this function is quite complex. So we are not going to translate this to Python to be able to decode a payload, but we are going to use VBA itself. And this is how I do this. First of all, I copy this function Hunter, it's quite long. Okay, here is the end of the function. So let's copy this, and now I also have a special spreadsheet, decoder spreadsheet that will help us decode. So let's take a look at the visual basic code here of sheet one. And what you have here is first encoded sheet to string, then decode, and then dump hex asking. So what this does is, first of all, it takes a hex dump that is in the spreadsheet. Let me show you here. If you have a hex dump here, it will take this hex dump. And convert this to a string. And then this string will be decoded by the F function, and that is our Hunter function. And then the decoded function will be dumped as a hex and asking to a new sheet. And we will have a sheet for ASCII and a sheet for Unicode. So what I do here is paste my Hunter function, and I quickly go through my Hunter function to see if it doesn't contain any calls to create objects or call to API functions. Because this could trigger a payload or a function, and we don't want that. We don't want to infect ourselves. So it doesn't look like it doesn't contain functions like this. It just looks like a string and number manipulation. OK, so this is our Hunter function that we will execute on our encoded text. And the encoded text, we also need to put it in the spreadsheet here in sheet encoded. So in my 0.10 editor here, I have my payload. So let me copy this. I select all, and then I do an edit copy as hex text like this, sorry, to the spreadsheet. And now I paste this here in the spreadsheet, paste like this. So now the spreadsheet contains the hex code. And now we can go back to the visual basic editor. So the hex code in the spreadsheet will be converted to a string encoded. This string will be passed on to the Hunter function, which will return the decoded string. And that decoded string, we are going to dump to a sheet, an ASCII sheet, and Unicode sheet. So let's run this, and we get an error. We have a post script function that is not defined. So let's search for that post script function in our dump, post script. OK, and here we have function post script. And that looks to be a very simple function. It's actually an end function. So we can copy this and add it to our VBA code. It doesn't present a risk like this. And let's run this again. We are missing another function, Vergeuse. So let's search for that function. OK, and here it is. This is also a very simple function. It's a modulus function. So let's copy this and paste this here like this. And now we can run this again. OK, and now we get no errors. So it's executed. So let's look at the spreadsheet. And two new sheets have been added. This is the ASCII spreadsheet. And this doesn't look actually like what we are looking for. Many characters are the same 3F. So let's look at the other one, Unicode. And this looks more like it. Here you can see virtual look, string. Here you can see .exe. Here you can see expand environment string str. So this here you have read file, get file size. So this looks like the shell code we are looking for. So we can copy this like this. So I select the hex code. And now if I go to my zero-technic editor, create a new page, new file, and then say, paste from hex text, then I've pasted my shell code here. And I can save this to disk. So shell code bin.vir. So here now I have a file with my shell code. And I can use radare to disassemble this. So the command is to print disassembly. Block size is the complete file. And after we've done that, we quit. And this is the shell code. And indeed, this looks to disassemble to a proper code. So this is certainly shell code. Let me just redirect this to a file, LST, like this. So this is how you decode encoded payloads with VBA code. If the VBA code is too complex or you don't have the time to convert it to Python or another scripting language that you control, and if you are not able to do that, you can use VBA itself. And the way we did it here with the decoder function makes sure that we don't risk to actually execute a payload and thus infect ourselves.