search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 115 forks source link

add more cell properties used in zloader #20

Closed spencerwp closed 4 years ago

spencerwp commented 4 years ago

With these properties added I can fully decode a new zloader dropper

spencerwp commented 4 years ago

While only checking for value set on cell, not formula, it seems like formulas that haven't been evaluated cause interactive mode to enable (where the cell is used in an unimplemented function call).

FORMULA.FILL("=""C:\Windows\system32\reg.exe""",Sheet2!EK32166)

CELL:C36621 , FullEvaluation , FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-4456]C[138],R[-35425]C[90],0,5)",Sheet2!C36622)

Process Interruption: CELL:C36622 =CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",R[-4456]C[138],R[-35425]C[90],0,5) Partial Eval: CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open",EK32166,CO1197,0,5) EK32166 is not populated, what should be its value? Enter XLM macro: Tip: CLOSE() or HALT() to exist

DissectMalware commented 4 years ago

Great fix! the colors are shifted 8 in xlrd!

Regarding the height, also great catch. Forgot to sync XLSMWrapper with XLSWrapper