XLMMacroDeobfuscator icon indicating copy to clipboard operation
XLMMacroDeobfuscator copied to clipboard

Published 20 hours ago verified publisher icon DissectMalware

Bug: 'Token' object has no attribute 'data'

Open malware-kitten opened this issue 5 years ago • 3 comments
trafficstars

Running the latest dev version (v0.1.5) pulled from Github, I encountered an error while processing the file e314ea8492fec8fb7349f966eab30ae0f8dfad22d08fe914a2d88e5056b9451f

Error [deobfuscator.py:1569 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'Token' object has no attribute 'data'

e314ea8492fec8fb7349f966eab30ae0f8dfad22d08fe914a2d88e5056b9451f.zip

Unencrypted xls file

[Loading Cells]
auto_open: auto_open->'AutoSave'!$B$4
[Starting Deobfuscation]
CELL:B5        , PartialEvaluation   , GET.CELL(32.0,B5)
CELL:B6        , FullEvaluation      , FALSE
CELL:B7        , FullEvaluation      , __LongName
CELL:B8        , PartialEvaluation   , GET.DOCUMENT(2,mco00s.MacroName)
CELL:B9        , FullEvaluation      , FALSE
CELL:B10       , FullBranching       , IF(LEFT(GET.WORKSPACE(1.0),3.0)="Win","","'")
CELL:B10       , FullEvaluation      , [TRUE] ""
CELL:B11       , FullBranching       ,  IF(LEFT(GET.WORKSPACE(1.0),3.0)="Win",SET.NAME("Win",TRUE),SET.NAME("Win",FALSE))
CELL:B11       , FullEvaluation      ,  [TRUE] SET.NAME(win,TRUE)
Error [deobfuscator.py:1569 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'Token' object has no attribute 'data'

Files:

[END of Deobfuscation]

Hopefully this helps track down a corner case.

malware-kitten avatar Jun 24 '20 19:06 malware-kitten

Amazing instance, I added a few features to handle this instance. But still it needs more features to support this.

I am not sure whether this instance is malicious. If you have done a manual debugging, please let me know what you think about the sample.

DissectMalware avatar Jun 24 '20 23:06 DissectMalware

I believe this document is benign, it was part of a testing repository that I was using for sanity checking some XLS Yara rules. I pulled the latest version and it appears that 2af8bd9 and 3a5c2ca did fix the issue. Thanks for the quick commits.

I can close the ticket if you'd like, or if you want to leave it open just let me know and I'm happy to action accordingly.

As I come across more edge cases I'll pass them over.

malware-kitten avatar Jun 25 '20 15:06 malware-kitten

Thanks for sharing the info.

The deobfuscator still cannot fully interpret this sample. So it is better to leave this issue open. I will gradually cover other functionalities.

DissectMalware avatar Jun 25 '20 15:06 DissectMalware