 Hello, this is my last video for 2017. In a couple of hours here in Belgium it will be 2018, but I wanted to show you a quick analysis of this sample shared on Twitter by John Lambert here. So it's a spreadsheet with a button that will execute macros. So let's take a look with my tools. So I run all in on the sample. So indeed it is a spreadsheet, an XLSM file. We can see this here with the VBAproject.bin, the OLE file inside the zip file that contains a macro. So when the macros here are in the stream tree, so let's select stream A3. Do VBA decompress. And here we have the macro code. So it's a subroutine, print document properties. We'll access properties from the spreadsheet, the author here. Create a script shell object and launch a new process, a PowerShell process. And this PowerShell process expects instructions, commands from a standard in and they are written with these statements here, standard in, right line, author. So with zipdump, because this XLSM file is actually a zip file, with zipdump we can look inside that zip file. And here in this file docprops slash core docxml, there you have the properties. So I can select this file 13 and dump it, sorry it's not XLSM, XMLdump, it's zipdump, select 13, dump like this here. And here if you look a bit here you will see this DC creator. And you can see that the creator, so the author is start process, so this is the comment that will be passed on to put a PowerShell script, the PowerShell process to be executed. Now I can also parse this with my XMLdump tool, say for example dump all the text and then here you can see all the text in the elements. I also have a new version of this tool that I still have to release and here you can see the text for the different elements like this element text and then you can see creator start process notepad. Now so if we go back to the macro code, so the function is print document properties. So let's search for this function with zipdump and zipdump can accept Yara rules. So with option Y here you can parse on the Yara rule and we can write a Yara rule to search for print document properties. But for that we have to create a Yara rule but there is a shortcut here with my tool and that is if you type this, this means that you want to search for a string. So with this option, so hash tag hash s hash you instruct zipdump and my other tools that support Yara2 to create in memory a Yara rule that will look for a string, the s stands for string. So print document properties, so that is the creation for the creation of Yara rule that search for the string text print document properties. It will look for ASCII and Unicode. So we search for this in the spreadsheet and then we find three files where this contains here the OLE file that is to be expected in the sheet itself XML and also here in VML drawing VML. So let's take a look first at file 6, the sheet 1.xml and let's dump this. And here if we look we can see this. So you can see a control of a button 1 with micro print document properties. So this creates inside a spreadsheet a button, button 1 and when it is clicked it will execute print document properties. Again with my latest version of XML dump we can do a search for element text, well extract element text and no sorry not element text but attributes like this and here you can see here the control is a button and the control properties micro print document properties. And then the other file was file 9 vml drawing 1.vml so this is the vector markup language. Let's dump this and you can see this is XML, a button, here button and here you can see again reference to the micro print document properties. So this is how you can quickly analyze this with my tools.