0
1
00:00:10,420 --> 00:00:13,880
The next tool that we want to cover is  OleVBA.
1

2
00:00:14,020 --> 00:00:19,810
So we have already figured out that the file is  suspicious and that has only one page it has and characters but
2

3
00:00:19,810 --> 00:00:26,000
it does contain VBA macro which definitely points out that this can be something suspicious.
3

4
00:00:26,020 --> 00:00:32,910
So in order to go ahead and extract that macro file we'll be using olevba tool of Oletools.
4

5
00:00:38,320 --> 00:00:47,020
So once we pass olevba, it goes ahead and extract the VB Script for us.
5

6
00:00:47,020 --> 00:00:52,340
This is exactly the same script which we extracted when we were using
6

7
00:00:52,390 --> 00:00:57,280
Oledump. The other advantage of using Oletools is that
7

8
00:00:57,320 --> 00:01:02,350
It also gives us some key indicators about the script that has been extracted.
8

9
00:01:02,350 --> 00:01:09,380
For example,  it says that there is an auto_execution and the key word is document_open.
9

10
00:01:09,700 --> 00:01:18,730
So what it means is that this VBA script will be executed as soon as someone opens this word document.
10

11
00:01:18,810 --> 00:01:21,720
We discussed about this in the oledump as well.
11

12
00:01:22,130 --> 00:01:28,090
There is also presence of shell command execution which definitely points that there is something suspicious.
12

13
00:01:28,090 --> 00:01:31,580
It may run an executable file or a system command.
13

14
00:01:31,660 --> 00:01:37,960
It also has been able to pick up powershell, where it says that it may run powershell commands, it may download
14

15
00:01:37,960 --> 00:01:43,160
files from the Internet because it's calling net.webclient. It will download files,
15

16
00:01:43,240 --> 00:01:49,190
It will create new object onto the system and as an indicator of compromise
16

17
00:01:49,240 --> 00:01:52,680
IOC stands for indicators of compromise.
17

18
00:01:52,720 --> 00:01:57,320
It says that this is one of the indicators that should be something you should look at.
18

19
00:01:58,350 --> 00:02:05,480
And there are a bunch of other IOC's picked up as well like cmd.exe and and two more file names which are
19

20
00:02:05,480 --> 00:02:13,440
also executables. We'll be going into much more details as to what IOC means. For Now,
20

21
00:02:13,510 --> 00:02:21,110
you can simply understand that it represents some of the indicators which might lead to malicious
21

22
00:02:21,110 --> 00:02:26,720
activity or which might be associated with malicious activity related to a malware campaign.
22

23
00:02:28,650 --> 00:02:36,570
Another interesting tool that comes in the Oletools suite is mraptor, which basically looks for any
23

24
00:02:36,570 --> 00:02:41,070
suspicious VBA macro inside your document file.
24

25
00:02:41,820 --> 00:02:49,340
So to run it again we'll pass Python mraptor.py and will pass it
25

26
00:02:49,410 --> 00:02:57,070
our document file location.
26

27
00:02:57,140 --> 00:03:04,280
So once it runs it tells you that result of execution of this tool was that the document file is suspicious
27

28
00:03:04,340 --> 00:03:08,270
and the reason is because it contains a bunch of flags.
28

29
00:03:08,390 --> 00:03:09,550
And what are those flags.
29

30
00:03:09,680 --> 00:03:17,150
It says that it contains auto exec, It writes to disk, it executes something and this is the reason why it is
30

31
00:03:17,150 --> 00:03:20,760
heuristically predicting that this file might be suspicious.
31

32
00:03:21,080 --> 00:03:28,400
So they have basically used their other tools to extract those informations and they are applying an
32

33
00:03:28,400 --> 00:03:32,480
heuristic to give you a judgment that the file is suspicious.
33

34
00:03:32,480 --> 00:03:37,890
We have already seen how these heuristics have been determined and why they are suspicious.
34

35
00:03:38,000 --> 00:03:45,050
So it makes this much more sense to directly use mraptor to figured out that this document file is
35

36
00:03:45,050 --> 00:03:46,470
suspicious or not.
36

37
00:03:46,490 --> 00:03:51,730
I did not directly go to mraptor because I first wanted you all to understand what are the traits of
37

38
00:03:51,830 --> 00:03:57,800
of suspicious document file and how we basically extract the VBA macros to make sense out of it.
38

39
00:03:57,980 --> 00:04:05,960
And once you have that idea it makes it much more easy to understand why this document file was particularly
39

40
00:04:05,960 --> 00:04:07,870
categorized as suspicious.
40

41
00:04:10,130 --> 00:04:12,650
So that was all about oletools.
41

42
00:04:12,740 --> 00:04:13,850
Thanks a lot for watching.