Incomplete deobfuscation

[Maijin]

Small issue to report a failing case, the following sample deobfuscation starts fine but fail at the end see Pastebin: https://pastebin.com/aKaJsJ9K

bf12a0d2890df7f5f06d3262398ac457c985aac084a198cd360212da9275fbad.zip (password: infected)

[DissectMalware]

I analyzed the following sample which is similar to the one you shared: https://bazaar.abuse.ch/sample/1f0d10296993fe831bdacf1558c15254c38dee095dc5e8055d0ca14532c75f23

Similar output. After countless hours of debugging, eventually, I single stepped this sample on MS Excel and realized one would get the same result on MS Excel as well. So nothing we can do for this sample. I am not sure why these samples are like this. Please if you have time single step your sample (be aware you need to bypass GET.WORKSPACE(31) statement, which returns True if you are single stepping the macro) and see whether you can see the same or catch the difference.

If you don't know how to manually debug xlm macro using MS Excel, you can watch: https://www.youtube.com/watch?v=LA6u90xIp4E

[Maijin]

Ok thanks will try that, closing here then!

[Maijin]

I think there is a regression here - now in addition to fail, it also throw an exception that probably need to be handled:

Traceback (most recent call last):
  File "/usr/local/bin/xlmdeobfuscator", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1272, in main
    process_file(**vars(args))
  File "/usr/local/lib/python3.7/site-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1202, in process_file
    for step in interpreter.deobfuscate_macro(not kwargs.get("noninteractive")):
  File "/usr/local/lib/python3.7/site-packages/XLMMacroDeobfuscator/deobfuscator.py", line 890, in deobfuscate_macro
    parse_tree = self.xlm_parser.parse(formula)
  File "/usr/local/lib/python3.7/site-packages/lark/lark.py", line 333, in parse
    return self.parser.parse(text, start=start)
  File "/usr/local/lib/python3.7/site-packages/lark/parser_frontends.py", line 125, in parse
    return self._parse(token_stream, start, set_parser_state)
  File "/usr/local/lib/python3.7/site-packages/lark/parser_frontends.py", line 54, in _parse
    return self.parser.parse(input, start, *args)
  File "/usr/local/lib/python3.7/site-packages/lark/parsers/lalr_parser.py", line 35, in parse
    return self.parser.parse(*args)
  File "/usr/local/lib/python3.7/site-packages/lark/parsers/lalr_parser.py", line 83, in parse
    for token in stream:
  File "/usr/local/lib/python3.7/site-packages/lark/lexer.py", line 376, in lex
    for x in l.lex(stream, self.root_lexer.newline_types, self.root_lexer.ignore_types):
  File "/usr/local/lib/python3.7/site-packages/lark/lexer.py", line 182, in lex
    raise UnexpectedCharacters(stream, line_ctr.char_pos, line_ctr.line, line_ctr.column, allowed=allowed, state=self.state, token_history=last_token and [last_token])
lark.exceptions.UnexpectedCharacters: No terminal defined for 'ᕖ' at line 1 col 5

=FILᕖS(RY-ǟ067Ē]Cਡ2]'
    ^

Expecting: {'CMPOP', 'LIST_SEPARATOR', 'MULTIOP', 'R_PRA', 'CONCATOP', 'L_PRA', 'COLON', 'ADDITIVEOP', 'BANG', 'DOT'}

Previous tokens: Token(NAME, 'FIL')

[DissectMalware]

No it is not: )

To address a bug, I usually relax the exception handling in the code so I can see more details

I forgot to change it back before committing. It is fixed now.

[Maijin]

👍