DissectMalware
commented
3 years ago Can you give me the hash? if it is available on VirusTotal, can you upload it somewhere and send me the link via DM on Twitter (https://twitter.com/DissectMalware)?
Open johnmccash opened 3 years ago
DissectMalware
commented
3 years ago Can you give me the hash? if it is available on VirusTotal, can you upload it somewhere and send me the link via DM on Twitter (https://twitter.com/DissectMalware)?
When analyzing a malicious document with version 0.1.4, analysis proceeds until... . . . CELL:FE2492 , FullEvaluation , "=SET.VALUE(R17C1,0)" CELL:FE2493 , FullEvaluation , FORMULA("=SET.VALUE(R17C1,0)",$A$35) CELL:FE2494 , FullEvaluation , "=" CELL:FE2495 , FullEvaluation , "H" CELL:FE2496 , FullEvaluation , "A" CELL:FE2497 , FullEvaluation , "L" CELL:FE2498 , FullEvaluation , "T" CELL:FE2499 , FullEvaluation , "(" CELL:FE2500 , FullEvaluation , ")" CELL:FE2501 , FullEvaluation , "=HALT()" CELL:FE2502 , FullEvaluation , FORMULA("=HALT()",$A$36) CELL:FE2503 , FullEvaluation , GOTO($A$1) CELL:A1 , FullEvaluation , REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9) CELL:A2 , FullEvaluation , REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9) CELL:A3 , FullEvaluation , REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9) Error: Unexpected token Token(NUMBER, '6') at line 1, column 63. Expected one of:
[END of Deobfuscation] time elapsed: 4.017183065414429
If I load the dev version, I get a different error:
[Loading Cells] [Starting Deobfuscation] There is no entry point, please specify a cell address to start Example: Sheet1!A1
but if I then give it the first cell of the document from the previous analysis, it seems to proceed through to the end, so not sure if this bug is already fixed or not. If you need the file that causes the issue, I can email, but need an address to send it to.
I have a 2nd file that throws the following error for 0.1.4:
[Loading Cells] auto_open: auto_open->qUKYONz;!$A$1 [Starting Deobfuscation] CELL:A1 , PartialEvaluation , ACTIVATE("qUKYONz;") Error: 'XLMInterpreter' object has no attribute 'parse_cell_address' [END of Deobfuscation] time elapsed: 0.33858323097229004
and for the dev version, proceeds through for a while and then throws:
CELL:A12 , FullEvaluation , NEXT CELL:A8 , FullEvaluation , WHILE($C$6=0.0) -> [False] CELL:A13 , PartialEvaluation , qUKYONz;!$F$1("=REGISTER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)") Error [deobfuscator.py:1592 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(COLON, ':') at line 1, column 30. Expected one of:
Files:
[END of Deobfuscation] time elapsed: 0.49591684341430664
This file, I can also email if you send me an address.
Thanks John