 I want to show the latest version of my Oledom tool. This new version here is able to handle XML file that contain embedded OLE objects. So previously I've shown how we can analyze XML files that contain VBA macros. And this time I'm going to show XML files that contains OLE objects. So I have a sample here. It's actually the same sample as I showed in a previous video. But there we analyze the sample manually and here we are going to do with Oledom. Okay, so you see this time Oledom detects in the XML file an Oledata.mso file. And this file contains one stream. It's not too big. So let's have a look to see inside the stream and have an ID, what we can expect. Let's do a hex dump. Okay. So here you have 0, 0, 16, 0, 0, 0. Okay. And here 7, 8. Now 7, 8 here, that's interesting. Because this can be the start of a ZLIP compressed data stream. The 8 can indicate that it is compressed with a deflate method. And the 7 indicates a 32K window that was used for the compression. So 78 is a value that you will often find with ZLIP compressed streams. So I added a new feature to Oledom that will search for possible compression inside the stream and then try to decompress it. So here this decompress option will make that we will search for that 78 byte and then decompress the stream that starts there. So let's try this. And indeed we have success. The content is decompressed and when you see this sequence of bytes here, you recognize doc file. So the file that is embedded here is an OLE file. So since that's the case, we can pipe it into a second version of Oledom. But now we don't want Xdump, but we want the raw data, so we're going to dump it. Okay, and this embedded OLE file, it contains another embedded object. We can see that here with OLE01 native. So let's select this stream and look at the information. Okay, so it is a file with extension VBS, so it's most likely a VBS script. The size is not too big. Let's extract it and have a look. And indeed it is VBS script. This is, it looks like base64. And the function name here, base64 decode, is a strong indication that it is indeed base64. So let's try to decode this. So first I need to select the line. So I'm going to do that with PCR regrep. And I'm going to select the string like this. So I want to start with double-quote, then any sequence of characters and a closing double-quote, like this. Okay, so this gives me the strings. I'm only interested in the first string. So let's do ahead. Okay, this is the first string. Now we cannot yet pipe this into base64 to decode this because we have the double quotes. Let's remove them with translate, like this. Okay, and now I can pipe this into base64 to have it decoded. Okay, and we can see that once more a command line is started that launches PowerShell. That downloads a file from here, saves it as a cap file, expands it as an XA, and then executes it.