DissectMalware
commented
3 years ago This is fixed in the latest version of the xlmdeobfuscator and xlrd2.
d6063921e36b12414d769eda7cf5715541d149e54168128ceeb800a05f9f2b3d:
Closed stevengoossensB closed 3 years ago
DissectMalware
commented
3 years ago This is fixed in the latest version of the xlmdeobfuscator and xlrd2.
d6063921e36b12414d769eda7cf5715541d149e54168128ceeb800a05f9f2b3d:
The xls_workbook.name_map contains the names for all values that are set when loading the document. However, only when the Operand type is oREF, the value is parsed correctly. I suppose this is an issue in the xlrd2 library already. Newer malware samples use these static defined values as a parameter for the execution of the macro (e.g. as a counter for a while loop).
E.g. Sample: d6063921e36b12414d769eda7cf5715541d149e54168128ceeb800a05f9f2b3d 582e03fefa4da38ecedd2afc3625ed152f98854c986d95ca9b0aca8b7a3d260f