oletools icon indicating copy to clipboard operation
oletools copied to clipboard
verified publisher icon decalage2

olevba: use xlrd or XLMMacroDeobfuscator to extract XLM macros

Open decalage2 opened this issue 5 years ago • 2 comments

It is possible to extract XLM macro formulas using a modified version of xlrd: https://twitter.com/H_Miser/status/1248247907481866246 https://github.com/Heat-Miser/xlrd/commit/5d599771c2d726e8e4863564722fd714d63d2023

Maybe olevba could leverage it to improve the output and analysis of XLM macros instead of / in addition to plugin_biff.

decalage2 avatar Apr 09 '20 15:04 decalage2

You can also consider xlrd2, which actively maintained by me: https://github.com/DissectMalware/xlrd2

Unlike original xlrd, by using this version you can get the formula strings for all xlm functions

DissectMalware avatar May 21 '20 21:05 DissectMalware

Maybe a simpler solution is to rely on XLMMacroDeobfuscator, since it supports all the formats: https://github.com/DissectMalware/XLMMacroDeobfuscator#library (using it only to extract the XLM macros, not to emulate them. If one wants to emulate/deobfuscate them, then olevba can recommend to run XLMMacroDeobfuscator directly. Same for ViperMonkey for VBA macros)

decalage2 avatar Sep 24 '20 19:09 decalage2