Malwrologist
Malwrologist
Share with me a sample where this occurs and a normal one; I will dig it and see whether I can figure it out
I also wonder whether you could add it to FlareVM. It has been heavily extended and tested in the past few weeks and is ready to be used in production.
You might find this project interesting as well: https://github.com/DissectMalware/XLMMacroDeobfuscator XLMMacroDeobfuscator is basically a XLM emulator. The XLM grammar might be helpful or the interpreter.
XLM keywords: https://github.com/DissectMalware/xlrd2/blob/67abe946b2a23e8615e8f3ed018a3ac7a11e5444/xlrd2/formula.py#L121 XLMMacroDeobfuscator supports the following keywords: https://github.com/DissectMalware/XLMMacroDeobfuscator/blob/c42671da52f9729b86ab353a953b5bf61d8a8b29/XLMMacroDeobfuscator/deobfuscator.py#L160
You can also consider xlrd2, which actively maintained by me: https://github.com/DissectMalware/xlrd2 Unlike original xlrd, by using this version you can get the formula strings for all xlm functions
The macrosheet seems to only have two formulas  
Fixed an issue in xlrd2 project (https://github.com/DissectMalware/xlrd2/commit/91bcd840a4d697a9938ca3ed92f48b6d0c8ed97e) Please update xlrd2: ``` pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip --force ``` Then you should see this:  The output seems to be incomplete. The...
Good idea. Did you used --output-level switch?  Currently, it is only suppress uninteresting XLM macros However, I can extend this to also remove uninteresting defined names ...
No worries. But still I think there is a room to better control the output. Currently, only macros can be filtered using this switch. May it is also a good...
I will check the PR soon, sorry for the late response