The malware used in the recent Ukranian cyber attack was (allegedly) delivered via a malicious spreadsheet. I analyzed this maldoc (97b7577d13cf5e3bf39cbe6d3f0a7732) and its very simple: the macro runs automatically, writes an exe to disk (embedded as an array of bytes) and executes it. Theres no obfuscation of the VBA code or encoding of the PE file.
If you want to practice the analysis of such documents, I have something for you: I produced a spreadsheet that uses exactly the same method to embed a PE file, but it has no code to write to disk neither to run the payload. And the VBA code doesnt run automatically. And in stead of a PE file, I embedded a JPEG file. So this example is very safe. You can download the example here.
In case you have no idea how to get started, I have a video for you where I show my analysis method.
You can find the tools I used on my blog.
But there are many ways to analyze this example. Please post your method in a comment. And also, let me know what you think of the picture.
Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.