search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 116 forks source link

Bug in handling FORMULA.ARRAY formula #99

Closed DissectMalware closed 2 years ago

DissectMalware commented 2 years ago

Sample: 1c3418e2928e1e9a574877b7cceead25b5695f7c0dbfa9c1795393fa8e4e23f6

[Loading Cells]
auto_open: auto_open->EORF!$E$1
SHEET: Rgedwg, macrosheet
SHEET: EORF, macrosheet
CELL:E7, =FORMULA.ARRAY()=FORMULA.ARRAY(Buk1!C13, Buk2!G3)=FORMULA.ARRAY(Buk2!C12, Buk3!B7)=FORMULA()=FORMULA.ARRAY(Buk3!F5, Buk4!C2)=FORMULA.ARRAY(Buk4!H7, Buk5!H11)=FORMULA.ARRAY()=FORMULA(Buk5!A5, Buk6!J2)=FORMULA.ARRAY(Buk6!F11, Buk7!G12)=FORMULA.ARRAY(Buk7!D7, Buk8!B13)=FORMULA.ARRAY(Buk3!B7&Buk7!G12&Simb1!S9&Buk5!H11&Buk5!H11&Sburr11!B6&Buk8!B13&Sburr11!C9&Buk8!B13&Sburr11!D2&Buk8!B13&Sburr11!A3&Buk8!B13&Sburr11!B13&Buk7!G12&Sburr11!E4&Buk7!G12&Sburr11!G2, E18)=FORMULA.ARRAY(Buk3!B7&Buk7!G12&Simb1!S9&Buk5!H11&Buk5!H11&Sburr11!H7&Buk8!B13&Sburr11!J4&Sburr11!K8&Buk2!G3&Sburr11!M5&Buk6!J2&Sburr11!L13&Buk7!G12&Buk7!G12&Sbuur2!B9&Buk7!G12&Sbuur2!D2, E20)=FORMULA.ARRAY(Buk3!B7&Buk7!G12&Simb1!S9&Buk5!H11&Buk5!H11&Sburr11!H7&Buk8!B13&Sburr11!J4&Sburr11!K8&Buk2!G3&Sburr11!M5&Buk6!J2&Sburr11!L13&Buk7!G12&Buk7!G12&Sbuur2!F6&Buk7!G12&Sbuur2!H13, E22)=FORMULA.ARRAY(Buk3!B7&Buk7!G12&Simb1!S9&Buk5!H11&Buk5!H11&Sburr11!H7&Buk8!B13&Sburr11!J4&Sburr11!K8&Buk2!G3&Sburr11!M5&Buk6!J2&Sburr11!L13&Buk7!G12&Buk7!G12&Sbuur2!B15&Buk7!G12&Sbuur2!A4, E24)=FORMULA(Buk3!B7&Buk7!G12&Buk4!C2&Buk5!H11&Buk5!H11&Sburr11!Q1&Buk6!J2&Sburr11!R6&Buk6!J2&Sburr11!T2&Buk7!G12&Buk7!G12&Buk7!G12&Sbuur2!N7&Buk6!J2&Sburr11!Q12&Buk8!B13&Sburr11!S9&Buk8!B13&Sburr11!N15&Buk7!G12&Sbuur2!O12, E26)=FORMULA(Buk3!B7&Buk7!G12&Buk4!C2&Buk5!H11&Buk5!H11&Sburr11!Q1&Buk6!J2&Sburr11!R6&Buk6!J2&Sburr11!T2&Buk7!G12&Buk7!G12&Buk7!G12&Sbuur2!N7&Buk6!J2&Sburr11!Q12&Buk8!B13&Sburr11!S9&Buk8!B13&Sburr11!N15&Buk7!G12&Sbuur2!R1, E28)=FORMULA(Buk3!B7&Buk7!G12&Buk4!C2&Buk5!H11&Buk5!H11&Sburr11!Q1&Buk6!J2&Sburr11!R6&Buk6!J2&Sburr11!T2&Buk7!G12&Buk7!G12&Buk7!G12&Sbuur2!N7&Buk6!J2&Sburr11!Q12&Buk8!B13&Sburr11!S9&Buk8!B13&Sburr11!N15&Buk7!G12&Sbuur2!Q16, E30)=FORMULA(Simb1!S4&Simb1!M38&Simb1!M40&Simb1!M42&Simb1!M44&Simb1!M38&Simb1!L46&Simb1!S2&Simb1!S3, E34), True
SHEET: Buk1, macrosheet
CELL:C13, =CHAR(Simb1!D25), o
SHEET: Buk2, macrosheet
CELL:C12, =CHAR(Simb1!E31), =
SHEET: Buk3, macrosheet
CELL:F5, =CHAR(Simb1!G26), A
SHEET: Buk4, macrosheet
CELL:H7, =CHAR(Simb1!J25), L
SHEET: Buk5, macrosheet
CELL:A5, =CHAR(Simb1!N29), e
SHEET: Buk6, macrosheet
CELL:F11, =CHAR(Simb1!R27), C
SHEET: Buk7, macrosheet
CELL:D7, =CHAR(Simb1!S32), r
SHEET: Buk8, macrosheet
DissectMalware commented 2 years ago

Fixed in v0.2.2

image