Closed Maijin closed 4 years ago
I analyzed the following sample which is similar to the one you shared: https://bazaar.abuse.ch/sample/1f0d10296993fe831bdacf1558c15254c38dee095dc5e8055d0ca14532c75f23
Similar output. After countless hours of debugging, eventually, I single stepped this sample on MS Excel and realized one would get the same result on MS Excel as well. So nothing we can do for this sample. I am not sure why these samples are like this. Please if you have time single step your sample (be aware you need to bypass GET.WORKSPACE(31) statement, which returns True if you are single stepping the macro) and see whether you can see the same or catch the difference.
If you don't know how to manually debug xlm macro using MS Excel, you can watch: https://www.youtube.com/watch?v=LA6u90xIp4E
Ok thanks will try that, closing here then!
I think there is a regression here - now in addition to fail, it also throw an exception that probably need to be handled:
Traceback (most recent call last):
File "/usr/local/bin/xlmdeobfuscator", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1272, in main
process_file(**vars(args))
File "/usr/local/lib/python3.7/site-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1202, in process_file
for step in interpreter.deobfuscate_macro(not kwargs.get("noninteractive")):
File "/usr/local/lib/python3.7/site-packages/XLMMacroDeobfuscator/deobfuscator.py", line 890, in deobfuscate_macro
parse_tree = self.xlm_parser.parse(formula)
File "/usr/local/lib/python3.7/site-packages/lark/lark.py", line 333, in parse
return self.parser.parse(text, start=start)
File "/usr/local/lib/python3.7/site-packages/lark/parser_frontends.py", line 125, in parse
return self._parse(token_stream, start, set_parser_state)
File "/usr/local/lib/python3.7/site-packages/lark/parser_frontends.py", line 54, in _parse
return self.parser.parse(input, start, *args)
File "/usr/local/lib/python3.7/site-packages/lark/parsers/lalr_parser.py", line 35, in parse
return self.parser.parse(*args)
File "/usr/local/lib/python3.7/site-packages/lark/parsers/lalr_parser.py", line 83, in parse
for token in stream:
File "/usr/local/lib/python3.7/site-packages/lark/lexer.py", line 376, in lex
for x in l.lex(stream, self.root_lexer.newline_types, self.root_lexer.ignore_types):
File "/usr/local/lib/python3.7/site-packages/lark/lexer.py", line 182, in lex
raise UnexpectedCharacters(stream, line_ctr.char_pos, line_ctr.line, line_ctr.column, allowed=allowed, state=self.state, token_history=last_token and [last_token])
lark.exceptions.UnexpectedCharacters: No terminal defined for 'ᕖ' at line 1 col 5
=FILᕖS(RY-ǟ067Ē]Cਡ2]'
^
Expecting: {'CMPOP', 'LIST_SEPARATOR', 'MULTIOP', 'R_PRA', 'CONCATOP', 'L_PRA', 'COLON', 'ADDITIVEOP', 'BANG', 'DOT'}
Previous tokens: Token(NAME, 'FIL')
No it is not: )
To address a bug, I usually relax the exception handling in the code so I can see more details
I forgot to change it back before committing. It is fixed now.
👍
Small issue to report a failing case, the following sample deobfuscation starts fine but fail at the end see Pastebin: https://pastebin.com/aKaJsJ9K
bf12a0d2890df7f5f06d3262398ac457c985aac084a198cd360212da9275fbad.zip (password: infected)