XLMMacroDeobfuscator
XLMMacroDeobfuscator copied to clipboard
DissectMalware
Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Running xlmdeobfuscator on this file: https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1 gives the following error: Unencrypted xls file [Loading Cells] auto_open: auto_open->'KBRSBTL'!$J$1 [Starting Deobfuscation] CELL:J12 , FullEvaluation , "False" Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected...
For an example of the previous bad behavior, see sample [7a99e0ff0d7f0951c53a21dfabc03fb9e06d1c585de62cc71d962c1c4dde4190](https://www.virustotal.com/gui/file/7a99e0ff0d7f0951c53a21dfabc03fb9e06d1c585de62cc71d962c1c4dde4190) The bug pertains to the unwrapping of strings. A string that should not have been unwrapped was stripped of...
Hi, please check this oletools issue, it is due to a Unicode error when running XLMMacroDeobfuscator on a sample: - Issue: https://github.com/decalage2/oletools/issues/728#issuecomment-1047921380 - Sample: [food1.zip](https://github.com/decalage2/oletools/files/8117984/food1.zip) (Password1)
I came across older QakBot dropper [sample](sample) that randomly selects values using calls to `RANDBETWEEN` to build URLs. Of course when using `xlmdeobfuscator`, the same outcome is generated each time,...
Current SLoad Excel XLM samples contain several while loops which never terminate during XLMMacroDeobfuscator emulation (ex. https://www.virustotal.com/gui/file/f7c577d377eae268913717937f792cca3f5bf7a802559f146ef5fba45f3f4605/detection). This pull request contains one potential method for handling infinite while loops. It...
❯ When analyzing a malicious document with version 0.1.7, analysis proceeds until... xlmdeobfuscator.exe -f D:\malware\white\ecaaab9e2fc089eefb6accae9750ac60.bin _ _______ |\ /|( \ ( ) ( \ / )| ( | () ()...
 
The Zloader sample https://bazaar.abuse.ch/sample/409c0fdd23e87d2181aed6a283d83cdeaa1b7fbb685df01b5358febb0d09c8b8/ triggers the following error: ``` Error [deobfuscator.py:2445 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: int() argument must be a string, a bytes-like object or a number, not 'NoneType'...
**Sample:** https://app.any.run/tasks/03f85d8e-c349-48bc-b367-b7e6ab6b1f94/# **Error message:** Error [deobfuscator.py:2433 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('CMPOP', '=') at line 1, column 221. Expected one of: * $END **Issue:** A sample cell is `=""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=FORMULA('Doc4'!$AT$3&'Doc4'!$AT$4&'Doc4'!$AT$5&'Doc4'!$AT$6&'Doc4'!$AT$7&'Doc4'!$AT$8,'Doc3'!$AQ$13)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""` Of...
When analyzing a malicious document with version 0.1.4, analysis proceeds until... XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator File: sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin Unencrypted xls file [Loading Cells] SHRFMLA (sub): 0 0 1 8 6 SHRFMLA (sub):...
Metadata
Owner
Metadata
Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)