1
00:00:00,570 --> 00:00:02,280
Hello and welcome back.

2
00:00:02,790 --> 00:00:10,830
In the previous video, we did the static analysis on the PDF document in this video, we are going

3
00:00:10,830 --> 00:00:18,270
to continue with her office document, which gave her the and in the previous lesson.

4
00:00:18,930 --> 00:00:30,840
So let's change directory see these days to go back to the parent directory and then see the office

5
00:00:32,280 --> 00:00:41,270
will go into the new folder and then release the contents by typing unless we can see the document.

6
00:00:41,910 --> 00:00:43,050
Let's clear the screen.

7
00:00:43,410 --> 00:00:52,770
This document called the conduct of the U.S. So we are going to use the metadata analysis by using excessive

8
00:00:52,770 --> 00:00:59,430
tool followed by the name of the document and enter.

9
00:01:01,790 --> 00:01:07,870
Here we see the result that you can use to scroll, to screw up and down, to look at the result.

10
00:01:10,010 --> 00:01:21,040
So we analyzed the output, we will see that this document was created through twenty seventeen, December

11
00:01:21,050 --> 00:01:29,780
13 looking known for there you can see that it is Russian or Russian origin language called.

12
00:01:31,560 --> 00:01:33,930
And then further down.

13
00:01:35,760 --> 00:01:47,230
We can see there is no author suggested and then a template here indicates he is a dot and template.

14
00:01:47,840 --> 00:01:55,160
So whenever you see a dot and then blue, it means that there is a macro inside it, meaning that this

15
00:01:55,280 --> 00:02:00,590
coffee document can embedded scripts inside it and can execute.

16
00:02:02,410 --> 00:02:10,550
Screening down for the you see that day some, I believe, Cirilli Russian tanks, I'm not sure.

17
00:02:11,200 --> 00:02:16,470
And over here to hating bears as well as they could be safe in those Cyrillic.

18
00:02:19,160 --> 00:02:26,690
If you look further down here and the question of the worst is seven to three, meaning that he needs

19
00:02:26,690 --> 00:02:31,070
the Oval Office document format, which is not a format.

20
00:02:31,670 --> 00:02:35,030
So in that case, you are going to do a you are asking.

21
00:02:35,030 --> 00:02:36,520
We do not need to use it.

22
00:02:36,580 --> 00:02:37,040
No.

23
00:02:40,020 --> 00:02:44,730
So next thing we do, we are going to do is to use YARE to scan.

24
00:02:45,390 --> 00:02:47,100
So let's clear the screen first.

25
00:02:54,170 --> 00:03:00,380
And the entire Yaara give it the best of you to suppress warnings.

26
00:03:01,390 --> 00:03:02,680
Put in the home.

27
00:03:04,400 --> 00:03:18,380
Dale Dale character, followed by the malware Far Beyond our rules directory and the name of your index

28
00:03:18,380 --> 00:03:18,870
file.

29
00:03:19,790 --> 00:03:24,890
And lastly, followed by the target document, we are going to scan.

30
00:03:25,520 --> 00:03:26,330
So hit enter.

31
00:03:30,350 --> 00:03:37,340
So looking at the result of the are asking me here that it contains VBA Macro.

32
00:03:39,620 --> 00:03:47,270
So and you can also open to open and execute the macro when the document is open.

33
00:03:47,810 --> 00:03:57,540
This is not surprising because this macro thing is used very often in nourishes Microsoft documents.

34
00:03:58,340 --> 00:04:07,650
So this is how we do static analysis for PDF as well as Microsoft Office documents.

35
00:04:08,060 --> 00:04:10,280
So that's all for this video.

36
00:04:10,910 --> 00:04:12,200
Thank you for watching.