The malware sample analyzed in this video uses VBA code to extract a payload contained in Excel spreadsheet cells.
SHA256: F00252AB17546CD922B9BDA75942BEBFED4F6CDA4AE3E02DC390B40599CE1740
The following is the Python code which mimics the VBA extraction code.
from Pro.SiliconSpreadsheet import * from Pro.UI import proContext v = proContext().getCurrentAnalysisView() if v.isValid(): view = SiliconSpreadsheetWorkspaceView(v) ws = view.getSpreadsheetWorkspace() sheet = ws.sheetFromName("Final Offer") col = SiliconSpreadsheetUtil.colIndex("BS") text = "" for i in range(100, 701): cell = sheet.getCell(col, i) if cell.isEmpty(): continue text += cell.value print(text[::-1])
Note: the code must be executed while the spreadsheet is open in the analysis view.