search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 115 forks source link

failure to parse formula in xlsb file #60

Open enzok opened 3 years ago

enzok commented 3 years ago

This xlsb sample, ebbf15cc0bedec40e58146d369150ee3 (on VirusTotal), fails with the following error:

File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1954, in process_file excel_doc = XLSBWrapper(file_path) File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/xlsb_wrapper.py", line 11, in init self._xlsb_workbook = open_workbook(xlsb_doc_path) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/init.py", line 27, in open_workbook return Workbook(XlsbPackage(name), *args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 29, in init self._parse() File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 67, in _parse rec.formula = Formula.parse(rec.formula_raw).stringify(self) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/formula.py", line 16, in stringify return tokens.pop().stringify(tokens, workbook) IndexError: pop from empty list

enzok commented 3 years ago

rec = Name(name='dontdoit', formula_raw=b'\x1f\x00\x00\x80\xff\xff,\xc4\xc1', formula=None)

DissectMalware commented 3 years ago

This xlsb sample, ebbf15cc0bedec40e58146d369150ee3 (on VirusTotal), fails with the following error:

File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/deobfuscator.py", line 1954, in process_file excel_doc = XLSBWrapper(file_path) File "/usr/local/lib/python3.6/dist-packages/XLMMacroDeobfuscator/xlsb_wrapper.py", line 11, in init self._xlsb_workbook = open_workbook(xlsb_doc_path) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/init.py", line 27, in open_workbook return Workbook(XlsbPackage(name), *args, kwargs) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 29, in init** self._parse() File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/workbook.py", line 67, in _parse rec.formula = Formula.parse(rec.formula_raw).stringify(self) File "/usr/local/lib/python3.6/dist-packages/pyxlsb2/formula.py", line 16, in stringify return tokens.pop().stringify(tokens, workbook) IndexError: pop from empty list

Seems your pyxlsb2 is not the latest version. Can you update your pyxlsb2? Still you will get some errors...

I am working on pyxlsb2 to fix the issues.

enzok commented 3 years ago

I tried updating pyxlsb2, but it says already up to date.

enzok commented 3 years ago

ok updated using github master zip