XLMMacroDeobfuscator
XLMMacroDeobfuscator copied to clipboard
DissectMalware
Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
[Loading Cells] auto_open: auto_open->'handling'!$C$84 [Starting Deobfuscation] CELL:C84 , FullEvaluation , SET.NAME(activated,0) CELL:C86 , FullEvaluation , -1496 CELL:C88 , FullEvaluation , WHILE(activated [True] CELL:C91 , FullEvaluation , SET.NAME(cottages,-1) CELL:C92 , FullEvaluation...
In many cases, The maldoc macro's will spawn a cmd shell to create or download a file to disk. After that, they will check whether that file exists before continuing...
First of all, thank you for your great work. Assignment operator ----- The equal (=) operator is both a comparison and an assignment operator (à là VBA/VB6). Consider this macro:...
File MD5: 6ffb46347dea6d4d021daeaf48afef79 - xlsb file Error [deobfuscator.py:1603 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', '(C1156, 0)') at line 1, column 14. Expected one of: * CONCATOP * CMPOP * MULTIOP...
This xlsb sample, ebbf15cc0bedec40e58146d369150ee3 (on VirusTotal), fails with the following error: File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1954, in process_file excel_doc = XLSBWrapper(file_path) File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/xlsb_wrapper.py", line 11, in __init__ self._xlsb_workbook = open_workbook(xlsb_doc_path) File...
When running the latest from git, the following bug appears when running against malware sample `ffa75887740c235250a61413117bb2ee` [mal.zip](https://github.com/DissectMalware/XLMMacroDeobfuscator/files/4833553/mal.zip) Password: `infected` ``` Error [deobfuscator.py:1590 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(__ANON_0, '())') at...
Hi, I have inserted XlmMacroDeobfuscator inside IntelOwl (https://github.com/intelowlproject/IntelOwl/pull/196) to have a better understanding of the malware campaigns that are running these days in Italy. To have a report, i'm abusing...
When analyzing a malicious document with version 0.1.4, analysis proceeds until... . . . CELL:FE2492 , FullEvaluation , "=SET.VALUE(R17C1,0)" CELL:FE2493 , FullEvaluation , FORMULA("=SET.VALUE(R17C1,0)",$A$35) CELL:FE2494 , FullEvaluation , "=" CELL:FE2495...
Running the latest dev version (`v0.1.5`) pulled from Github, I encountered an error while processing the file `e314ea8492fec8fb7349f966eab30ae0f8dfad22d08fe914a2d88e5056b9451f` ``` Error [deobfuscator.py:1569 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'Token' object has no...
Macro sheets allow Excel to replicate the effect of a RUN() invocation by defining a name and then referencing it in a sheet by appending () to the name. For...
Metadata
Owner
Metadata
Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)