 Hello, I'm Didier Stavens, a senior handler with the Internet Storm Center. We received a malicious document, an office document that I'm going to look at with HolyDump. And as you can see, it contains macros. But before we start looking into the macros, also remark that here we have a stream that starts ends with the slash o. So this is a frame that contains properties and in F you have the name of the properties and in O you have the value of the properties. And it often happens that malware orders will hide snippets of commands into properties. And here you can see that the size is 2336 bytes, which is a bit large for such an slash o stream. So we are going to look into that stream. I'm selecting it. Okay, yeah. And as you can see here, we have something that looks like base 64 code with a lot of As. So this could be a Unicode and Unicode, yeah, that tells us that it could probably be PowerShell. I can also use a plugin, plugin stream o on this document. And then as you can see, it will extract for you the different property values. And here you can already see also PowerShell encoding. So you can be sure that this is a PowerShell command. So this is base 64 and therefore I'm going to pipe this into my tool base 64 dump. And here stream 12, that's the largest one. So that is the one that we decoded. We can instruct base 64 dump that we want streams to be selected when they have at least 20 characters in them like this. And then you only get that large stream that is listed. So that helps you reduce the clutter on your screen because of course many strings will actually be semantically valid base 64 strings. So I'm selecting this one and I'm doing an ASCII dump. And this indeed looks like base 64. So I'm going to convert this. This looks to be UTF-16 and indeed here we have our PowerShell script where you can see another base 64 string. And here you can see with a little bit of obfuscation, system IO compression deflate stream. So this base 64 string here is compressed data. So I'm going to pipe this again to base 64 dump. And here the longest one is entry 5. So I'm selecting that one. I'm doing an ASCII dump. And here you can see all hexadecimal data. So this looks like it is compressed data. So I'm going to do a binary dump. And pipe this through translate with option F. Option F does a full read. So translate by default operates byte per byte. But if you do slash F dash F, then you let translate operate on the complete file. And what we are going to do here is call function ZLIP because it's ZLIP compression row decompression D. And indeed the data is decompressed. And here you can see another PowerShell script which is a downloader with here one URL that it will download and execute as a PowerShell script. And here is another URL from which it will download and save an exit to disk and then execute that. Now how did I know that this here is compressed data well because of what's in the PowerShell script that it does decompression. There is no ZLIP header here that indicates that this is ZLIP compressed. I will discuss this in an upcoming diary entry. But that is why I'm doing a row ZLIP decompression. So compressed ZLIP without header. If there is a header then you call ZLIP D. But of course you get a narrow here because this one is expecting a header and there is no header.