 Just a couple of days ago, new information was published about the malware used in attacks against the Ukrainian news media and the power industry. And if we look here in this article, at the end there are a couple of IOCs. And one of them is for a spreadsheet. So I downloaded this document and if we take a look at this malware we told it dump, you can see that indeed it is a spreadsheet with a very large macro and that. So let me select stream 7 and decompress the VBA code and let's have a look. Okay and here you can see arrays of numbers. A lot of arrays and if we go at the end here. Okay so we have up to 768 arrays and then we have a function that will take all those numbers and here in two loops, extract the numbers from the arrays and write them to this file, vba.micro.exe and when this is done, it will execute a file and this sub executes automatically when the workbook activates macro runs. So it's very likely that the numbers that you find in arrays there in the VBA macro code is unexecutable. So let's take a look which my regular search tool we are going to select the arrays like this. So the keyword array followed by characters and this enables us to select all the arrays with the numbers. And now we are going to extract those numbers with this tool, numbers to hex. This will select all the numbers in the arrays and convert them to hex, to hexadecimal like this. So now for example I can take that hex code, copy it and then paste it in a binary editor like 010 editor and start to analyze it. But I can also pipe it to my other tools, for example by converting this hex to binary with this tool hex to bin. This will take the hex dump and convert it to binary. So let's pipe this into less and see what we get. And this is indeed a PE file. You can see here MZ, the start of the header. And here this program cannot be run in DOS mode and then somewhere here we see the PE header. So we can analyze this with PE check and indeed we have a PE file that PE check can analyze. And here is the SHA1 hash of the embedded executable. And if we look at our IOCs here you can see that for the black energy light dropper we have exactly the same SHA1. So we are able to extract the executable with these functions. And last thing you can also take a look at the metadata of this sample like this.