oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

XLM4 is not detected

Open randubin opened this issue 2 years ago • 2 comments

Affected tool: olevba,oleid

Describe the bug XLM4 exists in the file, but oletools do not detect it.

File/Malware sample to reproduce the bug https://bazaar.abuse.ch/sample/306433cdeddadf922a7849ab12431fbdb1f1f7f23dc4de1c2e378dcf9a05ca8a/ How To Reproduce the bug Tested on pyton 3.8 oletools 0.60.1.dev6 Expected behavior XLM 4 detected. Console output / Screenshots image

Version information:

  • OS: Mac
  • OS version: x.xx - 64 bits
  • Python version: 2.8 -64 bits
  • oletools version: 0.60.1.dev6

randubin avatar Feb 22 '22 08:02 randubin

Hi @randubin, this looks similar to #728: could you please update oletools with the following command and tell me if it works?

pip install -U oletools[full]

This will install XLMMacroDeobfuscator, which is now used to detect and extract XLM macros. By default XLMMacroDeobfuscator is not installed by pip. You can also install it separately (see https://github.com/DissectMalware/XLMMacroDeobfuscator).

decalage2 avatar Feb 22 '22 08:02 decalage2

Thanks for the fast response!.

What is [full]? I tried to update from git or from pip and got the same result. [Made sure that I have the latest version for XLMMacroDeobfuscator pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip ]

 XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1.dev6 on Python 3.8.8 - http://decalage.info/python/oletools
===============================================================================
FILE: 5f034563d28cfcb02445fc33f0da4be.xlsb
Type: OpenXML
No VBA or XLM macros found.

When I run: XLMMacroDeobfuscator directly

XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File:05f034563d28cfcb02445fc33f0da4be.xlsb

Unencrypted document or unsupported file format
Unencrypted xlsb file

[Loading Cells]
auto_open: auto_open->LLELFLLEF!$E$1
[Starting Deobfuscation]
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', '!C12, Bt2!B17)=FORMULA(Bt2!G6, Bt1!I3)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!D7&Bt1!I3&Sbrrrrww1!B15&Bt1!I3&Sbrrrrww1!E2&Bt1!I3&Sbrrrrww1!F13&Bt1!I3&Sbrrrrww1!G5&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!F24&Sbrrrrww1!R2, E14)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!G19&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!N7&Sbrrrrww1!T6&Fefwq1!L31, E16)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!N7&Fefwq1!L31, E18)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!H21&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!S15&Sbrrrrww1!T6&Fefwq1!L31, E20)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!S15&Fefwq1!L31, E22)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!I18&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!A5&Sbrrrrww1!T6&Fefwq1!L31, E24)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!A5&Fefwq1!L31, E26)=FORMULA(Fefwq1!L24&Fefwq1!R27&Fefwq1!S30&Fefwq1!P25&Fefwq1!Q32&Fefwq1!R27&Fefwq1!S26&Fefwq1!L30&Fefwq1!L31, E36)') at line 1, column 23.
Expected one of: 
	* CMPOP
	* CONCATOP
	* COLON
	* ADDITIVEOP
	* LIST_SEPARATOR
	* R_PRA
	* MULTIOP
	* L_PRA
Previous tokens: [Token('__ANON_2', 'Bt1')]

Files:
[END of Deobfuscation]
time elapsed: 0.07923579216003418

randubin avatar Feb 22 '22 11:02 randubin