search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 116 forks source link

Error during parse(formula): Unexpected token Token('STRING', '"&"') #98

Closed hnsrck closed 2 years ago

hnsrck commented 2 years ago

During the analysis of recent emotet dropper files (xlsm, found via urlhaus), the following error occurrs:

XLMMacroDeobfuscator(v0.2.0) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: /home/remnux/Downloads/FBHHK7R7M4HH0EFG.xlsm

Unencrypted xlsm file

[Loading Cells]
auto_open: auto_open->GOT!$C$1
[Starting Deobfuscation]
CELL:C21       , FullEvaluation      , False
Error [deobfuscator.py:2550 parse_tree = self.xlm_parser.parse(formula)]: 
                Unexpected token Token('STRING', '"&"') at line 1, column 49.
Expected one of: 
    * LIST_SEPARATOR
    * MULTIOP
    * R_PRA
    * CONCATOP
    * L_PRA
    * CMPOP
    * ADDITIVEOP
    * EXCLAMATION
Previous tokens: [Token('NAME', 'h')]

Files:

[END of Deobfuscation]
time elapsed: 0.8088746070861816

File was downloaded from https://urlhaus.abuse.ch/url/1856913/

Formula from cell C21:

=FORMULA('Scq1'!C11,'Scq2'!H3)=FORMULA('Scq2'!C11,'Scq3'!B3)=FORMULA('Scq3'!F9,'Scq4'!A8)=FORMULA('Scq4'!H4,'Scq5'!B13)=FORMULA('Scq5'!D7,'Scq6'!G11)=FORMULA('Scq6'!B2,'Scq1'!I7)=FORMULA('Gef2'!F3,C17)=FORMULA('Scq3'!B3&'Scq1'!I7&'Scq4'!A8&'Scq5'!B13&'Scq5'!B13&'Gef1'!B10&'Scq2'!H3&'Gef1'!D3&'Gef1'!E6&'Scq6'!G11&'Gef1'!C14&'Scq1'!I7&'Scq1'!I7&'Gef2'!D6,C30)=FORMULA('Scq3'!B3&'Fbe1'!H21&'Fbe1'!G23&'Fbe1'!R12&"EAEA"&'Fbe1'!R9&'Fbe1'!I8&'Fbe1'!R7&'Fbe1'!R11&'Scq1'!I7&'Scq4'!A8&'Scq5'!B13&'Scq5'!B13&'Gef1'!B10&'Scq2'!H3&'Gef1'!D3&'Gef1'!E6&'Scq6'!G11&'Gef1'!C14&'Scq1'!I7&'Scq1'!I7&'Gef2'!I2&'Fbe1'!R14,C32)=FORMULA('Scq3'!B3&'Fbe1'!H21&'Fbe1'!G23&'Fbe1'!R12&"EAEA1"&'Fbe1'!R9&'Fbe1'!I8&'Fbe1'!R7&'Fbe1'!R11&'Scq1'!I7&'Scq4'!A8&'Scq5'!B13&'Scq5'!B13&'Gef1'!B10&'Scq2'!H3&'Gef1'!D3&'Gef1'!E6&'Scq6'!G11&'Gef1'!C14&'Scq1'!I7&'Scq1'!I7&'Gef2'!M8&'Fbe1'!R14,C34)=FORMULA('Scq3'!B3&'Fbe1'!H21&'Fbe1'!G23&'Fbe1'!R12&"EAEA2"&'Fbe1'!R9&'Fbe1'!I8&'Fbe1'!R7&'Fbe1'!M20&'Fbe1'!K23&'Fbe1'!N24&'Fbe1'!P18&'Fbe1'!J7&'Fbe1'!R12&'Fbe1'!I8&'Fbe1'!R14&'Fbe1'!R7&'Fbe1'!R14,C36)=FORMULA('Scq3'!B3&'Fbe1'!K18&'Fbe1'!N15&'Fbe1'!K18&'Fbe1'!M20&'Fbe1'!R12&'Fbe1'!R16&'Scq1'!I7&'Fbe1'!R24&'Gef1'!O10&'Gef2'!R3&'Gef2'!B11&'Fbe1'!R11&'Gef1'!L15&'Fbe1'!R16&Fbbsib1!R18&"RFRF"&'Fbe1'!R14,C38)=FORMULA('Scq3'!B3&Fbbsib1!K54&Fbbsib1!K56&Fbbsib1!J58&Fbbsib1!M52&Fbbsib1!K54&Fbbsib1!M61&Fbbsib1!R12&Fbbsib1!R14,C42)
DissectMalware commented 2 years ago

Fixed in v0.2.2

instance: 33dc0546d60f496508e95293772364bf7e913d52ec3d606b326adff6cbfe7fd7

image