Fails on recent Emotet maldocs.

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)

Apache License 2.0

568 stars 116 forks source link

Fails on recent Emotet maldocs. #102

Closed kirk-sayre-work closed 2 years ago

kirk-sayre-work commented 2 years ago

xlmdeobfuscator -x fails with a Error [deobfuscator.py:3189 process_file(**vars(args))]: 'None' has no attribute 'xm_macrosheet' error on recent (2/4/2022) Emotet Excel samples. Some example Emotet file hashes are 9ddac5c4281f20c330439fae9bcbd8d6693b80083fa10894bb9ce002c2015399 and 77ee213b8790da89694d63a2288e223450c67fa75c82aceb968625c509154937.

doomedraven commented 2 years ago

here a bit more context

File "/usr/local/lib/python3.9/site-packages/XLMMacroDeobfuscator/xlsm_wrapper.py", line 268, in load_macro_cells
    if not hasattr(macrosheet_obj.xm_macrosheet.sheetData, 'row'):
  File "/usr/local/lib/python3.9/site-packages/untangle.py", line 82, in __getattr__
    raise AttributeError(
AttributeError: 'None' has no attribute 'xm_macrosheet'

>>> dir(macrosheet_obj)
['worksheet']

>>> macrosheet_obj.xm_macrosheet
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python3.9/site-packages/untangle.py", line 82, in __getattr__
    raise AttributeError(
AttributeError: 'None' has no attribute 'xm_macrosheet'

DissectMalware commented 2 years ago

RCA:

Normal XLM macrosheet looks like this:

The emotet macrosheet looks like this (instead of having xm:macroosheet as the root element it has worksheet element):

despite saying worksheet, this is a macrosheet

DissectMalware commented 2 years ago

The extraction issue is resolved. But still another issue prevents xlmdeobfuscator to emulate this instance. As such I will keep this issue open.

DissectMalware commented 2 years ago

This issue is fixed in https://github.com/DissectMalware/XLMMacroDeobfuscator/commit/04e5dc17ab58891723bed4be33e3d0191aaf1540