XLMMacroDeobfuscator icon indicating copy to clipboard operation
XLMMacroDeobfuscator copied to clipboard

Published 20 hours ago verified publisher icon DissectMalware

failure to parse formula in xlsb file

Open enzok opened this issue 5 years ago • 4 comments
trafficstars

This xlsb sample, ebbf15cc0bedec40e58146d369150ee3 (on VirusTotal), fails with the following error:

File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1954, in process_file excel_doc = XLSBWrapper(file_path) File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/xlsb_wrapper.py", line 11, in init self._xlsb_workbook = open_workbook(xlsb_doc_path) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/init.py", line 27, in open_workbook return Workbook(XlsbPackage(name), *args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 29, in init self._parse() File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 67, in _parse rec.formula = Formula.parse(rec.formula_raw).stringify(self) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/formula.py", line 16, in stringify return tokens.pop().stringify(tokens, workbook) IndexError: pop from empty list

enzok avatar Oct 19 '20 15:10 enzok

rec = Name(name='dontdoit', formula_raw=b'\x1f\x00\x00\x80\xff\xff,\xc4\xc1', formula=None)

enzok avatar Oct 19 '20 16:10 enzok

This xlsb sample, ebbf15cc0bedec40e58146d369150ee3 (on VirusTotal), fails with the following error:

File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1954, in process_file excel_doc = XLSBWrapper(file_path) File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/xlsb_wrapper.py", line 11, in init self._xlsb_workbook = open_workbook(xlsb_doc_path) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/init.py", line 27, in open_workbook return Workbook(XlsbPackage(name), *args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 29, in init self._parse() File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 67, in _parse rec.formula = Formula.parse(rec.formula_raw).stringify(self) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/formula.py", line 16, in stringify return tokens.pop().stringify(tokens, workbook) IndexError: pop from empty list

Seems your pyxlsb2 is not the latest version. Can you update your pyxlsb2? Still you will get some errors...

I am working on pyxlsb2 to fix the issues.

DissectMalware avatar Oct 19 '20 17:10 DissectMalware

I tried updating pyxlsb2, but it says already up to date.

enzok avatar Oct 19 '20 18:10 enzok

ok updated using github master zip

enzok avatar Oct 19 '20 18:10 enzok