XLMMacroDeobfuscator icon indicating copy to clipboard operation
XLMMacroDeobfuscator copied to clipboard

Published 20 hours ago verified publisher icon DissectMalware

Error [deobfuscator.py:2990 process_file(**vars(args))]:

Open JA1E0 opened this issue 4 years ago • 2 comments

❯ When analyzing a malicious document with version 0.1.7, analysis proceeds until... xlmdeobfuscator.exe -f D:\malware\white\ecaaab9e2fc089eefb6accae9750ac60.bin

      _        _______

|\ /|( \ ( ) ( \ / )| ( | () () | \ () / | | | || || | ) _ ( | | | |()| | / ( ) \ | | | | | | ( / \ )| (/| ) ( | |/ |(___/|/ |

( __ \ ( ____ ( ___ )( ___ \ ( ____ |\ /|( ____ ( ____ ( ___ )__ /( ___ )( ____ ) | ( \ )| ( /| ( ) || ( ) )| ( /| ) ( || ( /| ( /| ( ) | ) ( | ( ) || ( )| | | ) || ( | | | || (/ / | ( | | | || (_____ | | | () | | | | | | || ()| | | | || ) | | | || __ ( | ) | | | |(_ )| | | ___ | | | | | | || ) | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ ( | (/ )| (/| () || )) )| ) | () |/_) || (/| ) ( | | | | () || ) \ _ (/ (/()|/ ___/ |/ ()_)(/|/ | )( (____)|/ _/

XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: D:\malware\ecaaab9e2fc089eefb6accae9750ac60.bin

Unencrypted xls file

[Loading Cells] Error [deobfuscator.py:2990 process_file(**vars(args))]:

======== MD5: ecaaab9e2fc089eefb6accae9750ac60

JA1E0 avatar Feb 26 '21 05:02 JA1E0

Fixed an issue in xlrd2 project (https://github.com/DissectMalware/xlrd2/commit/91bcd840a4d697a9938ca3ed92f48b6d0c8ed97e)

Please update xlrd2:

pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip --force

Then you should see this: image

The output seems to be incomplete. The inner if block in z6 formula caused the interpreter loop detection logic to mark it as a loop; thus, halting the interpretation

using -x (to extract raw formula)

image

DissectMalware avatar Feb 26 '21 20:02 DissectMalware

thanks this also fixed error for me, upgrading the xlrd2

doomedraven avatar Aug 03 '21 20:08 doomedraven