Video: Blitz XLS Malware Payload Extraction

The malware sample analyzed in this video uses VBA code to extract a payload contained in Excel spreadsheet cells.

SHA256: F00252AB17546CD922B9BDA75942BEBFED4F6CDA4AE3E02DC390B40599CE1740

The following is the Python code which mimics the VBA extraction code.

from Pro.SiliconSpreadsheet import *
from Pro.UI import proContext

v = proContext().getCurrentAnalysisView()
if v.isValid():
    view = SiliconSpreadsheetWorkspaceView(v)
    ws = view.getSpreadsheetWorkspace()
    sheet = ws.sheetFromName("Final Offer")
    col = SiliconSpreadsheetUtil.colIndex("BS")
    text = ""
    for i in range(100, 701):
        cell = sheet.getCell(col, i)
        if cell.isEmpty():
            continue
        text += cell.value
    print(text[::-1])

Note: the code must be executed while the spreadsheet is open in the analysis view.

Leave a Reply

Your email address will not be published.