1
00:00:00,780 --> 00:00:09,420
Hello and welcome to the walkthrough for the analysis on this document from an earlier lesson, we have

2
00:00:09,420 --> 00:00:18,070
already extracted the document file and rename it or V-J Tree from this PDF file.

3
00:00:19,910 --> 00:00:24,230
So you can download these two files from the resource section if you have misplaced them.

4
00:00:25,920 --> 00:00:30,210
So the first thing I would do is examining using the EXIF to.

5
00:00:35,700 --> 00:00:46,330
To see some metadata and from here you will notice that this is a dossier for you is also microwaveable,

6
00:00:47,910 --> 00:00:58,470
is got Russian text hinting that this could be of Russian origin, the creation that he used to 017.

7
00:00:59,380 --> 00:01:04,060
April 21, there are also some metadata here.

8
00:01:05,790 --> 00:01:14,370
Which suggests that this is the new office format, the open XML format, therefore, if you wanted

9
00:01:14,370 --> 00:01:20,670
to run your signature signatures, get this far, we will need to use it in conjunction with the other

10
00:01:20,670 --> 00:01:21,450
parameters.

11
00:01:22,040 --> 00:01:24,390
We do not have a creator.

12
00:01:25,940 --> 00:01:27,430
We don't have a subject well.

13
00:01:28,610 --> 00:01:34,970
So sometimes this is quite common when you don't have this kind of thing in no way, if you do find

14
00:01:34,970 --> 00:01:42,080
the subject or the creator name, there will give us more hints as to who created the Noé.

15
00:01:43,550 --> 00:01:50,590
Nice to see you, sir, is it done to your skin, so let us open a new terminal for that purpose.

16
00:01:54,510 --> 00:01:57,540
Navigate to our location of this.

17
00:02:01,410 --> 00:02:16,930
Is it done why parameter and the Shuai for Yaara skin and improvise the path to the signature, the

18
00:02:16,930 --> 00:02:18,040
index fund.

19
00:02:19,780 --> 00:02:22,260
And finally, the name of the father.

20
00:02:24,890 --> 00:02:32,500
So you have a bit of a fight on screen and you will see some hits.

21
00:02:33,940 --> 00:02:43,060
And from here you can see that he has got two important results confirming that this is a macro document

22
00:02:43,600 --> 00:02:53,110
and pointing also to the Web project being file, which is always present when there is VVS VBA macro.

23
00:02:54,220 --> 00:03:00,240
So this means that when these documents open, it is going to run this and a macro code.

24
00:03:00,730 --> 00:03:05,290
So we need to extract those will be a macro call and see what it does.

25
00:03:06,260 --> 00:03:15,410
The next step is to use I.D. times in order to do some scan, but since this is in the new format,

26
00:03:15,410 --> 00:03:16,340
he going to feel

27
00:03:19,190 --> 00:03:20,140
this, give it a try.

28
00:03:22,540 --> 00:03:31,240
And you see, I know that you next thing, they're going to extract the macro code using VBA, so to

29
00:03:31,240 --> 00:03:36,770
do that, we tackle Avivah, followed by the name of the file itself.

30
00:03:37,000 --> 00:03:40,420
And you enter maybe I could Screamfest.

31
00:03:44,460 --> 00:03:54,990
So this is a table of summary for the Avivah Schenn, so let's see, we have authorizer, which means

32
00:03:54,990 --> 00:04:00,960
that when this document is open, authorizer is going to automatically run this script, whatever is

33
00:04:00,960 --> 00:04:03,260
specified in the authorizing function.

34
00:04:04,260 --> 00:04:11,430
And then also here you see all the suspicious elements, key words in red, for example, open and written

35
00:04:11,730 --> 00:04:14,230
in the open and read and write to the file.

36
00:04:15,270 --> 00:04:22,710
And this also binary, which means you can write a binary file, means probably for the binary executable

37
00:04:22,710 --> 00:04:23,160
files.

38
00:04:23,850 --> 00:04:28,770
And the common keyword is De, meaning that you can run partial command.

39
00:04:29,700 --> 00:04:36,540
And there's also user agent meeting and you can connect to the Internet and download the second stage.

40
00:04:37,890 --> 00:04:45,630
There is also some obfuscation possible because of the Y and also X strings and basically strings.

41
00:04:46,330 --> 00:04:55,050
So that is straight to the office kindies this file, if you open it directly with Reichling and open

42
00:04:55,050 --> 00:04:58,690
with the official studio code.

43
00:04:59,130 --> 00:05:00,330
We will be seeing young.

44
00:05:04,960 --> 00:05:19,240
So to deal with it, we can use the Web to secure the screen or Avivah with the perimeter and reveal

45
00:05:19,780 --> 00:05:27,760
Parmeter and the name on the file and then redirect the output to a separate file so that you all right

46
00:05:27,760 --> 00:05:28,550
now is enough.

47
00:05:29,650 --> 00:05:33,430
So we are going to call this will be J3 thought Vrba.

48
00:05:35,150 --> 00:05:42,960
So he has completed the negotiation, has won the far the resulting FA open the visual studio.

49
00:05:43,940 --> 00:05:46,230
So this is the resulting file.

50
00:05:46,490 --> 00:05:53,940
So let's scroll down and look at the table of the summary, which should be somewhere in the center

51
00:05:53,940 --> 00:05:54,730
of the file.

52
00:05:55,070 --> 00:05:57,680
And you saw all the reports on the summary.

53
00:05:59,030 --> 00:06:04,120
And when you got VBA stream, that has been the obfuscated.

54
00:06:04,670 --> 00:06:10,340
So let's go down and look at the actual the obfuscated could have some attributes.

55
00:06:10,340 --> 00:06:11,000
The set.

56
00:06:14,160 --> 00:06:21,180
And here is a user agent probably trying to connect to the Internet here, and there may be further

57
00:06:21,180 --> 00:06:25,730
obfuscation, as you can see, some extra long strings here in this line.

58
00:06:27,040 --> 00:06:28,300
They just on Friday.

59
00:06:29,070 --> 00:06:35,570
And in line 697, we see a long string as a parameter to the function split.

60
00:06:36,090 --> 00:06:44,510
So the function split will take this long string and split into different elements based on the separate

61
00:06:45,150 --> 00:06:46,200
specify here.

62
00:06:46,740 --> 00:06:55,570
So the separator could be pointing to this string here, nine wi fi v, so this could be separate.

63
00:06:56,220 --> 00:07:02,580
So we see here there are three possible you are else which the malware is trying to connect to when

64
00:07:02,580 --> 00:07:03,250
it runs.

65
00:07:03,660 --> 00:07:10,560
So here alone, we can use this as an indicator of compromise and look at our network to see anybody

66
00:07:10,560 --> 00:07:17,070
in the organization has reached out to these websites, to the second stage below.

67
00:07:18,040 --> 00:07:21,460
And if you scroll down further as CEO, we have.

68
00:07:24,250 --> 00:07:33,910
We have some WMI services trying to find out some resources which are available from the machine and

69
00:07:33,910 --> 00:07:40,050
over here and nine nine nine one seven is opening a file for some purpose.

70
00:07:41,050 --> 00:07:45,600
The open text function is actually here is trying to open the file.

71
00:07:46,090 --> 00:07:54,010
So up to this stage of the analysis, probably the or else only he has given us that he might connect

72
00:07:54,010 --> 00:07:54,250
to.

73
00:07:54,250 --> 00:07:55,800
But we don't know what is going on down there.

74
00:07:56,380 --> 00:07:59,310
And we also do know what is going to safety.

75
00:07:59,920 --> 00:08:04,570
How do so us try to analyze the Piper monkey.

76
00:08:04,960 --> 00:08:11,260
So to do that, we just copy the code to a separate file.

77
00:08:20,590 --> 00:08:24,450
The first Monu and then create a new file.

78
00:08:27,980 --> 00:08:31,190
And then remove all the Avivah comments.

79
00:08:47,330 --> 00:08:50,420
And then I'll see this clean file.

80
00:08:55,810 --> 00:09:00,070
And we are going to call it Will we get three?

81
00:09:02,240 --> 00:09:06,200
But one way, because these are so small, you see.

82
00:09:08,100 --> 00:09:17,900
Then we run by Pamunkey against it, so you just take the monkey and for the name of the father, his

83
00:09:17,910 --> 00:09:26,550
name will be three, but one, B, B, C, we can get any more information from my monkey.

84
00:09:31,500 --> 00:09:40,560
So after analyzing this history correlations, they found out to open a document open to suspicious

85
00:09:41,130 --> 00:09:47,620
items did not detect any oil or indicators of compromise.

86
00:09:48,660 --> 00:09:56,420
So we can continue to do this by selecting the other modules from will be Yewtree, like Lightbody based

87
00:09:56,430 --> 00:09:59,210
two and three and repeat the same thing.

88
00:09:59,790 --> 00:10:08,010
But we are going to try another two in the next video, lazy office analyzer, where we are going to

89
00:10:08,190 --> 00:10:15,960
execute it as in a debug environment, the liaison office analyzer, and hopefully we can get more information

90
00:10:15,960 --> 00:10:16,380
from that.

91
00:10:16,980 --> 00:10:18,390
So thank you for watching.

92
00:10:18,420 --> 00:10:19,860
I'll see you in the next one.