search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
570 stars 115 forks source link

Parsing of short sheet names #103

Closed unconfigured closed 2 years ago

unconfigured commented 2 years ago

While decoding 050d1e2d231518eaff1615e7ef68e8f617aaf15965799a26aecf104f8802c14e (see VirusTotal) i've noted that sheet names like "Fefwq1" work fine, whereas sheet names like "Bt1", "Bt2" cause problems during parsing (Unexpected token Token('__ANON_0', '!I3... / Previous tokens: [Token('__ANON_2', 'Bt1')]).

I was able to fix this temporary by adding those names to the parser template file xlm-macro.lark.template. Sadly I am not able to completely understand the regex to implement a fix without further possible side effects.

Temporary fix (xlm-macro.lark.template):

a1_notation_cell:   [(FIXME1|FIXME2|NAME) "!" | "'" /[^']+/i "'!"| "!"] /\$?([a-qs-z][a-z]?)\$?\d+\b|\$?(r[a-bd-z]?)\$?\d+\b(?!C)/i
r1c1_notation_cell: [(FIXME1|FIXME2|NAME) "!" | "'" /[^']+/i "'!" | "!"] ROW [REF | INT ] COL [REF | INT ]
FIXME1: "Bt1"
FIXME2: "Bt2"
DissectMalware commented 2 years ago

this is fixed now (https://github.com/DissectMalware/XLMMacroDeobfuscator/commit/90a58f4a88676ee75db1581394b9503cd4f65e75)

image