 Hello, Didier Stevens here, senior handler at the InternetStorm Center. One of my diary entries is about Yara and Cybershef, so Yara rules, pattern matching. You can use that with Cybershef too. In my diary entry, I give a simple example with a Word document with macros and then a rule. I also posted the recipe itself, so you can just copy paste this. And then you are in Cybershef with the Yara rule here. And this Yara rule is a simple rule that I made to detect Word Office documents, OLE files that contain VBA macro, compressed VBA macro. Now this rule, like many detection rules, is not perfect. It's not 100% guaranteed. For example, this one here, you can bypass it detection by stomping the VBA code. But that's not the subject here. Here I want to show you how you can use Cybershef and Yara. So I have my Yara rule here, that's my recipe. And then here I have a document that I drop here. And as you can see, there is a match for the OLE VBA rule. You are not limited to one rule here. You can put in different rules. For example, let me copy this rule and say rule 2. If we see, for example, Word. Let's call it Word then. So now you have two rules here working on a single document. You can also work on more than one document here by adding extra documents, even opening a folder of files. Here I'm just dropping a second document. And so what is displayed here now is first document still with its output. And here we have a tab for document 2 that I can click. Now as you see here, it doesn't detect. Now in my experience here, when you're working with multiple inputs and multiple outputs, so tab it, it's best to explicitly do the recipe here, bake. And as you can see here now, we have a detection. So this works here on OLE files. So if you don't have the Yara tool itself, which is a command line tool, if you cannot run that on your machine, you can do it here online with Cybersurf. It can also work with files that you have to transform. For example, let me remove this. And let's say now that we are going to work with a zip file that contains that Word document. Now this one here a bit special. I'm going to make another video about this. What is here is just a zip file that contains one file. So there are not several files inside that zip file, just a single file. And if I run this, you see no detection. But if you take the unzip command here, then the file is unzipped and then the Yara rule is run and then you see the detection. It will work on zip files that contain more than one file, but you will not have the expected results. It depends on your Yara rules. And I will explain that in another video.