Introduction This post covers how to identify and extract shellcode manually from hancitor phishing office document. Refer Part-1 and Part-2 to get an understanding of tools and approach to analyse phishing documents. Tools Didier Stevens Suite sudo pip install oletools Analysis SHA256: 5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This maldoc leverages VBA macros to execute its payload and t he encoded shellcode is a property in stream 17. T he shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread etc. to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.The explorer.exe process is created in a suspended state, the code for explore