decalage2
olevba: add XLM macro keywords
FORMULA, CALL, RUN, FORMULA.FILL, WORKBOOK.HIDE, GET.WORKSPACE, ...
Samples:
- https://twitter.com/DissectMalware/status/1248137329820172288
- https://twitter.com/DissectMalware/status/1240789649527836674
- https://twitter.com/DissectMalware/status/1247595433305800706
- https://twitter.com/DissectMalware/status/1248067183076392962
Add also: FOPEN, FWRITE, FILE.DELETE Example: https://twitter.com/DissectMalware/status/1274919210972479495
And it would be better to distinguish suspicious VBA keywords from XLM, to clarify the output. However, XLM keywords can appear within VBA when VBA calls XLM formulas, and also VBA/VBS keywords may appear in XLM formulas.
XLM keywords: https://github.com/DissectMalware/xlrd2/blob/67abe946b2a23e8615e8f3ed018a3ac7a11e5444/xlrd2/formula.py#L121
XLMMacroDeobfuscator supports the following keywords: https://github.com/DissectMalware/XLMMacroDeobfuscator/blob/c42671da52f9729b86ab353a953b5bf61d8a8b29/XLMMacroDeobfuscator/deobfuscator.py#L160
Also add FormulaLocal, which can be used to generate Excel 4 macros from VBA, then Run to execute them:
https://docs.microsoft.com/en-us/office/vba/api/Excel.Range.FormulaLocal
Sample: https://twitter.com/Thierry_4N6S/status/1334158625355522049 https://labs.inquest.net/dfi/hash/e60dd6a3b885f9ed3356cd62c4d53590f255509fc07c9e4aa31c0e1fb16673e5
Another sample also using FormulaLocal: https://twitter.com/DissectMalware/status/1351532995228798978 / https://twitter.com/DissectMalware/status/1351538436914651136
And check if plugin_biff reports formulas in English or Italian
Add also WRITELN: https://twitter.com/DissectMalware/status/1440130407870181378
Other interesting articles and samples: https://www.goggleheadedhacker.com/blog/post/21 https://www.goggleheadedhacker.com/blog/post/23 https://app.any.run/tasks/02091acd-264d-4614-b465-5082b4c19ef4