oletools
oletools copied to clipboard
XLM4 is not detected
Affected tool: olevba,oleid
Describe the bug XLM4 exists in the file, but oletools do not detect it.
File/Malware sample to reproduce the bug
https://bazaar.abuse.ch/sample/306433cdeddadf922a7849ab12431fbdb1f1f7f23dc4de1c2e378dcf9a05ca8a/
How To Reproduce the bug
Tested on pyton 3.8 oletools 0.60.1.dev6
Expected behavior
XLM 4 detected.
Console output / Screenshots
Version information:
- OS: Mac
- OS version: x.xx - 64 bits
- Python version: 2.8 -64 bits
- oletools version: 0.60.1.dev6
Hi @randubin, this looks similar to #728: could you please update oletools with the following command and tell me if it works?
pip install -U oletools[full]
This will install XLMMacroDeobfuscator, which is now used to detect and extract XLM macros. By default XLMMacroDeobfuscator is not installed by pip. You can also install it separately (see https://github.com/DissectMalware/XLMMacroDeobfuscator).
Thanks for the fast response!.
What is [full]? I tried to update from git or from pip and got the same result. [Made sure that I have the latest version for XLMMacroDeobfuscator pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip ]
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1.dev6 on Python 3.8.8 - http://decalage.info/python/oletools
===============================================================================
FILE: 5f034563d28cfcb02445fc33f0da4be.xlsb
Type: OpenXML
No VBA or XLM macros found.
When I run: XLMMacroDeobfuscator directly
XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
File:05f034563d28cfcb02445fc33f0da4be.xlsb
Unencrypted document or unsupported file format
Unencrypted xlsb file
[Loading Cells]
auto_open: auto_open->LLELFLLEF!$E$1
[Starting Deobfuscation]
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', '!C12, Bt2!B17)=FORMULA(Bt2!G6, Bt1!I3)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!D7&Bt1!I3&Sbrrrrww1!B15&Bt1!I3&Sbrrrrww1!E2&Bt1!I3&Sbrrrrww1!F13&Bt1!I3&Sbrrrrww1!G5&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!F24&Sbrrrrww1!R2, E14)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!G19&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!N7&Sbrrrrww1!T6&Fefwq1!L31, E16)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!N7&Fefwq1!L31, E18)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!H21&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!S15&Sbrrrrww1!T6&Fefwq1!L31, E20)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!S15&Fefwq1!L31, E22)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!I18&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!A5&Sbrrrrww1!T6&Fefwq1!L31, E24)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!A5&Fefwq1!L31, E26)=FORMULA(Fefwq1!L24&Fefwq1!R27&Fefwq1!S30&Fefwq1!P25&Fefwq1!Q32&Fefwq1!R27&Fefwq1!S26&Fefwq1!L30&Fefwq1!L31, E36)') at line 1, column 23.
Expected one of:
* CMPOP
* CONCATOP
* COLON
* ADDITIVEOP
* LIST_SEPARATOR
* R_PRA
* MULTIOP
* L_PRA
Previous tokens: [Token('__ANON_2', 'Bt1')]
Files:
[END of Deobfuscation]
time elapsed: 0.07923579216003418