 Okay, this time we are going to analyze another malicious document sample, and again we are going to use the VBA interpreter in Excel to analyze the decoding function to decode the strings. So, this is the sample, stream 8 as the macros, so let's select stream 8 and decompress the macros, and here we have all the macros, and already here we can see a string that's not recognizable, so this is probably an encoded string. Let's copy everything to the clipboard, and then I can paste it here in the editor. So this is the beginning of the macro, here we see a create object, here we have another create object, and this is past the return value of function A, and function A takes this string which is not readable together with two numbers. So this is the decoding function, function A. So I'm going to copy this in Excel, so let's go to the visual basic editor. I will create the function decode, and then I will pass the result of function A to message box so that we can display the decoded value. So I need to find function A, here it is function A, and then copy this to the editor. So that's what I'm going to do, copy function by function, and for every function that I copy I look at the code to see if there is nothing that could execute a payload, and because by copying function by function and checking the code, we want to avoid executing the payload, just the decoding function. So let me run this, and I get an error, I miss a function, so now I'm going to repeat. Let me search for that function, it's a sub actually, so I'm going to copy this, and now let's run this again, another function I'm missing, so another function to copy and to check, here is a function, and you can see in this function that I'm just going to copy, that it contains a loop, a while loop here, so this is probably the actual decoding function. I'm missing another function, that's a very small function, it's actually a call to the mod function, the modulus. That's also something that we often see in decoding functions, a modulus. Now we miss this function, another function to copy. So now we no longer get an error, but we get an empty message box. So that means that we are probably missing still variables or functions, so what I'm going to do now is turn on option explicit, and this will generate errors for all uninitialized variables. So let's run this, okay, and now we see here that this is something we miss. So let's search for this, and this is another function that we miss, a function without arguments. Okay, now we miss this function, okay, here is a function. This is just an identity function, it returns its argument, okay, variable not defined here, okay, so variable not defined, that's because now that we have option explicit we need to define the variables, so this function here returns an integer, okay, so this variable must be an integer, so let's declare this as an integer, like this, can run it, here we are missing another variable or function, here it is, so let me copy that over. Another function to copy, so we copy function by function, and each time I look at a code to see if it doesn't contain something like a create object or something else that could lead to code execution, because that's what we want to avoid, we just want to decode but not execute, okay, another function, okay, and while I'm copying this I see that this here function is here, so let me copy that too, and that's actually the right function, and then I have this function here, and this function is here, and that's actually the left function, so let me copy those three functions, okay, okay, and now we are able to decode a string, so this is the object it is actually created, if we go to the bottom here we can take a look at this long string because this is probably a URL or a payload, let me copy this and replace this here, yeah, so this looks like PowerShell code and here is the URL to download, now the drawback of using the message box is that you cannot select the text, for example to copy the URL, a trick, one of the tricks you can do is to replace message box with input box, and the third argument of input box is the default value, so I gave an empty string here, another empty string, and then the return value of the A function is the default value, and when I run this here now with this I can copy the complete code, another way to achieve this is to copy the code is to put it in an Excel cell, so let's type cells row one column one equals to this value, so when we look at the spreadsheet the cell is empty, and when I run the code here the cell now contains the decoded string, and now with this cell trick we can do this actually for all the strings in the code, so here I have the VBA code with a call to function A, and I'm going to use a regular expression together with my research function tool, I'm going to use a regular expression to extract all those calls to function A with the encoded strings, so I have a function A, open the parenties, now I have to again type a double quote for opening of the string, but this is a problem because I'm already using here double quote to delimit the string, so I'm going to replace that double quote by its x value 22 like this, and then I want to match any string, so any characters several times, and I want this to be non greedy, then again here the double quote, then I have a comma, then I have a number, and another number, and then finally closing parenties like this, and with this I can extract all the calls to the function A, so let me copy that to the clipboard, so here are all the functions, and now I'm going to do a small search and replace to turn this into a VBA code to put it in the cells of the spreadsheet, so search and replace i equals i plus 1, and then cells, the row is i, column is 1, and that is equal to A, like this, and now I just need to copy this code here, declare i as an integer, and install it to 0, and then I can run this function, so now here I have the list of strings here, and this is actually the sample for which I wrote an ISC, an internet storm center directory, this is the sample that has a list of all kinds of security tools and appliances that it wants to avoid, this is the list here you see with Defender TrustWave Microsoft, it does this by doing an IP geolocation with MaxMind, but that's not all that it does, it also has a list of processes that is checks for like TCP view, Wireshark here, all those processes, if those processes are running the code will not execute, so the payload will not execute, and otherwise here this partial code will execute.