 Hi, I'm Didier Stevens, a senior handler with the Internet Storm Center. This weekend I analyzed the malicious office document and here I'm going to show you how I did this. Now the sample that I'm analyzing here is very similar to the one I described here in this diary entry of yesterday or Saturday. The difference is that here the malicious document is inside an email as an attachment an MSG file and MSG files can also be analyzed with Ole Dump. So here is the MSG file and then you get all the streams. Some of the streams here contain the body and the headers and here in the building hearing you have the streams that contain the attachment. You can use my plugin, plugin MSG, so that it does some of the decoding of the names of the streams for you so that you have a better idea what the streams contain. And if we look at the beginning here, so you can see stream 3, that's binary data and that is actually the data of the attachment. And here you have the first bytes of the binary data and you can see that it starts with pk34. So this is actually a zip file and the attached file is a zip file. So with Ole Dump I can select this file and dump it to standard out so that I can pipe it into zip dump, my tool to analyze zip files. Okay and we get an error and if you look at the error here you see bad password for file. So this zip file is password protected and the password is not infected because by default when a zip file is password protected many of my tools like zip dump will try to open it with a password infected. That failed here so that's not the right password. So with zip dump we can also do a small dictionary attack with built in passwords. So that's option P, capital P and then you can provide a file name with passwords you want to try. But if you type dot then you are actually using the internal list, the list inside of zip dump which is actually the open source list of passwords that is included with John Ripper. Okay and indeed it was able to decrypt the content of the zip file with one of those passwords. So we see that the zip file contains a file called request12.doc. So it is a document file. So I will select this file, dump it again binary data and then pipe this again into all it dump. Now to analyze the word document. Okay and here we have the streams inside the word document and no surprise here stream eight contains macros. So we are going to take a look at stream eight. Option V to decompress the macros because macrosource code inside a stream of an office document is compressed and needs to be decompressed and I'm going to pipe this through list. And indeed here we see source code and you see things like that like CHR and these kinds of strings. You know that you are dealing with something malicious because this is not the normal code. This is more of the same and here at the end we have a shell command cmd and let's take a look. Okay here alternative text so this is coming from the alternative text of an object and also this is something new you see here the replace function so this string here the content here of that alternative text a replace command is done and the right square bracket is replaced with an A. So one method to find this command that I explained in the previous diary entry and that I also reference in this diary entry here is just to look for long strings because this is probably a PowerShell command that is in the office document and they are tend to be rather long. So if you just look at long strings you will quickly find that PowerShell command and you can do this with one of my tools it's called strings it like the string command to just extract strings but you have an option uppercase L and that will sort the string by length so the longest strings will be at the end. Sorry this is sorting of the source code that's not what we want we want this here we are going to apply the strings command on the doc file and we are no longer going to use olidump like this and here indeed you see a PowerShell command with here the base 64 encoded script and as you can see here you have a lot of right square brackets which is not normal you don't find that in base 64. So I'm going to grab this so encoded it gives me this and now with the stream editor SED I'm going to substitute the square bracket for the letter A I'm going to do this for all your currencies. Now a square bracket is a special character so I need to escape that like this okay and now we have something that looks more like base 64 so I can pipe this into base 64 dump my tool to analyze base 64 and indeed it recognizes this long string here number two and as you can see here it says instant so this is probably unicode actually we expect unicode because that's what PowerShell takes when you pass it to base 64 so I'm going to select here that second string I'm going to do an ASCII dump and here you can see that this is a unicode PowerShell script so this can be decoded by specifying that the type is UTF-16 and then here you get the clear text PowerShell script as you can see here this PowerShell script will iterate over all the methods of the web client class and if a method is named download string it will download from this URL and then execute this as a PowerShell script and if the method is download data then it will download from this URL write it to disk as an XE and then execute it so this script does two things downloads a PowerShell script downloads an executable when I did the analysis yesterday the files were no longer up so I could not analyze them but a reader told me where I could find this one on VirusTotal.