1
00:00:00,600 --> 00:00:01,230
Alone.

2
00:00:01,530 --> 00:00:11,310
Come back in this lesson, we are going to do a lot practical on analyzing a malicious office document

3
00:00:12,000 --> 00:00:18,780
and remember, we have already done some preliminary analysis, several lessons and go.

4
00:00:19,710 --> 00:00:28,890
What we did was we use a EXIF tool to take a look at the metadata.

5
00:00:30,150 --> 00:00:36,360
And if we saw it, we did some time ago and we saw the timestamp.

6
00:00:38,530 --> 00:00:39,440
Time to time here.

7
00:00:39,920 --> 00:00:50,220
As you know, this is Russian origin and using their office form, it is near all of his helmet.

8
00:00:50,440 --> 00:00:53,820
So it is the same structure.

9
00:00:55,220 --> 00:01:06,140
Storage for me said, and it is not open office, I format for it, and you also you are asking me for

10
00:01:06,290 --> 00:01:08,960
on this just to refresh your memory.

11
00:01:27,300 --> 00:01:31,630
And yet I confirmed that contains VVA macro.

12
00:01:32,460 --> 00:01:39,660
So now we are going to continue with our analysis with had tools, we are going to see if we can try

13
00:01:39,660 --> 00:01:43,220
to extract the VVA macro from this fund.

14
00:01:44,010 --> 00:01:47,370
The first thing we are going to use the EIB.

15
00:01:48,090 --> 00:01:55,770
So I open a new window here and go to the location of this railway.

16
00:01:59,800 --> 00:02:12,580
And I wish I'd followed by the name of the document, so it shows us that this is a Microsoft Word document.

17
00:02:13,720 --> 00:02:14,830
It is not encrypted.

18
00:02:15,310 --> 00:02:17,470
And here is a document.

19
00:02:18,470 --> 00:02:26,780
And it also contains VVA Macro's next for use in order to call Hawary Times.

20
00:02:30,580 --> 00:02:38,830
Or any time show us the time stamp for this document and you can see it has all the time stamps in there

21
00:02:39,190 --> 00:02:45,460
and has the same date, which is two zero one five February 10.

22
00:02:46,360 --> 00:02:54,910
And if you compare this with our EXIF to metadata, we can correlate them and confirm they are the same.

23
00:02:55,360 --> 00:03:05,470
Immigration is 2015 February and modified it more in 2015, February 10, which is the one found here

24
00:03:05,470 --> 00:03:06,290
February 10.

25
00:03:06,940 --> 00:03:11,980
So this more or less confirms that this is the date in which he was created.

26
00:03:13,000 --> 00:03:21,490
And you can see also a lot of stories, objects here, as you can see, and he also contains wee wee,

27
00:03:21,940 --> 00:03:25,100
wee, wee, wee, wee a micro.

28
00:03:25,580 --> 00:03:31,240
So the next step is to see if we can try to extract these VBA macro.

29
00:03:31,930 --> 00:03:36,660
To do that, we can use the Avivah program.

30
00:03:36,670 --> 00:03:41,710
So let's open a new window and go into our mailbag document.

31
00:03:51,700 --> 00:04:00,670
If you just came with any options, he would tell you what he can do and you can see there's a lot of

32
00:04:00,670 --> 00:04:04,070
options here, a lot of things he can do.

33
00:04:04,900 --> 00:04:11,380
OK, so now we are going to use our Avivah on our back office document.

34
00:04:14,950 --> 00:04:17,890
And you're not going to specify any options.

35
00:04:19,590 --> 00:04:28,770
And you can see it's giving us a lot of information, including the VVA scripture and one of the important

36
00:04:28,770 --> 00:04:35,610
section is at the bottom, which contains a table, a summary of the entire analysis.

37
00:04:36,720 --> 00:04:44,610
You can see that he has authorized, which means that this document how to execute something, then

38
00:04:44,610 --> 00:04:45,750
he is hoping.

39
00:04:46,680 --> 00:04:54,600
And the suspicious elements are incorrect, as you can see, the open kiewa, which can open the file.

40
00:04:55,720 --> 00:05:04,300
And he's going to kill Give Me Schmidly file show, which can run executable file system common.

41
00:05:05,840 --> 00:05:14,210
User agent, which means that it is capable of downloading additional Baylock from the Internet CAGR,

42
00:05:14,390 --> 00:05:16,700
which may be used to obfuscate string's.

43
00:05:17,690 --> 00:05:24,350
And he also got high strings and base64 strings, which is also useful obfuscation.

44
00:05:25,590 --> 00:05:33,600
Now, every school right to the top, this, you can see the VVA cell, which has been extracted by

45
00:05:33,850 --> 00:05:45,390
WAVY, and you can see here there's a lot of obfuscation using string obfuscation, and he's trying

46
00:05:45,390 --> 00:05:47,400
to make it difficult for analysis.

47
00:05:48,490 --> 00:05:58,000
You will also see some location of the file system here and the technical term as well as here.

48
00:06:00,270 --> 00:06:09,600
So this could be a location where this group may the right things to we also see some high service objects,

49
00:06:09,990 --> 00:06:15,660
which means that this number is probably trying to run some tests on the operating system.

50
00:06:16,770 --> 00:06:20,940
And we see lots and lots of obfuscated strings.

51
00:06:21,600 --> 00:06:32,510
So now let's see if we can dump this into a separate file to extract the VBA script from this document

52
00:06:32,520 --> 00:06:45,650
we can use to Huelva here today, C option, and then we redirect the output to a file of our own and

53
00:06:45,660 --> 00:06:50,500
we will call it that duckweed V.V. extension.

54
00:06:52,140 --> 00:06:54,170
And now you see that a new file here.

55
00:06:54,960 --> 00:06:57,360
So we can open this here, right?

56
00:06:57,360 --> 00:06:58,560
Clicking Open this.

57
00:06:58,560 --> 00:07:00,270
We we show us to you could.

58
00:07:04,370 --> 00:07:10,820
So this is the father has been done, and you can see on top here, there are some strings that has

59
00:07:10,820 --> 00:07:15,540
been inserted by whoever and we do need them.

60
00:07:15,590 --> 00:07:22,760
You just cut them off since they are not part of the VBA script and you scroll down, you see some more

61
00:07:23,240 --> 00:07:24,330
at the bottom.

62
00:07:24,380 --> 00:07:27,590
You can also cut this off, this part here.

63
00:07:30,640 --> 00:07:39,110
Clean up the forest, clean and also properly formatted by visitors to local and remember to save it.

64
00:07:40,920 --> 00:07:46,260
Now, this fire is ready for use in further analysis in the future.

65
00:07:46,330 --> 00:07:46,790
Listen.

66
00:07:47,800 --> 00:07:53,980
So we are stretched to the maybe a script, which is the objective of this lesson.

67
00:07:54,380 --> 00:07:56,100
So thank you for watching.

68
00:07:56,130 --> 00:07:57,720
I'll see you in the next one.