Video: Blitz XLS Malware Payload Extraction
2022-8-3 04:2:8 Author: blog.cerbero.io(查看原文) 阅读量:22 收藏

The malware sample analyzed in this video uses VBA code to extract a payload contained in Excel spreadsheet cells.

SHA256: F00252AB17546CD922B9BDA75942BEBFED4F6CDA4AE3E02DC390B40599CE1740

The following is the Python code which mimics the VBA extraction code.

from Pro.SiliconSpreadsheet import *
from Pro.UI import proContext

v = proContext().getCurrentAnalysisView()
if v.isValid():
    view = SiliconSpreadsheetWorkspaceView(v)
    ws = view.getSpreadsheetWorkspace()
    sheet = ws.sheetFromName("Final Offer")
    col = SiliconSpreadsheetUtil.colIndex("BS")
    text = ""
    for i in range(100, 701):
        cell = sheet.getCell(col, i)
        if cell.isEmpty():
            continue
        text += cell.value
    print(text[::-1])

Note: the code must be executed while the spreadsheet is open in the analysis view.


文章来源: https://blog.cerbero.io/?p=2457
如有侵权请联系:admin#unsafe.sh