search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.9k stars 562 forks source link

Malicious XLS not detected by mraptor #638

Open J0xA0 opened 3 years ago

J0xA0 commented 3 years ago

Affected tool: mraptor

Describe the bug mraptor is not able to identify the macro of an XLS file as suspicious.

File/Malware sample to reproduce the bug doc_8650.zip Password: infected SHA256 486ac850901637cb0b0d80497df8c36ff9a83b1ba018bd6af635c93346d6f200 doc_8650.xls

How To Reproduce the bug The file is a Microsoft Excel OLE type. When analysed via olevba it returns the following information:

$ olevba doc_8650.xls 
olevba 0.56 on Python 3.6.9 - http://decalage.info/python/oletools
===============================================================================
FILE: doc_8650.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet1
' 0085     19 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - mFEYwgrRdEp
' 0018     24 LABEL : Cell Value, String Constant - adoJHChQH len=0 
' 0018     20 LABEL : Cell Value, String Constant - AgcMu len=0 
' 0018     24 LABEL : Cell Value, String Constant - arxMTaBqa len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d Sheet1!B278 
' 0018     24 LABEL : Cell Value, String Constant - awzJAxueX len=0 
' 0018     23 LABEL : Cell Value, String Constant - bdSmqoKG len=0 
' 0018     25 LABEL : Cell Value, String Constant - bvaBikjdsU len=0 
' 0018     23 LABEL : Cell Value, String Constant - cQfjmYlf len=0 
' 0018     26 LABEL : Cell Value, String Constant - dVVyrGmQRiq len=0 
' 0018     27 LABEL : Cell Value, String Constant - eirNUHxnGslI len=0 
' 0018     23 LABEL : Cell Value, String Constant - FYoNvovc len=0 
' 0018     24 LABEL : Cell Value, String Constant - IjLownRAj len=0 
' 0018     24 LABEL : Cell Value, String Constant - LtnUKGTXw len=0 
' 0018     22 LABEL : Cell Value, String Constant - mvAJyHR len=0 
' 0018     25 LABEL : Cell Value, String Constant - oibHvmnvll len=0 
' 0018     27 LABEL : Cell Value, String Constant - OuSZdjgXYjli len=0 
' 0018     24 LABEL : Cell Value, String Constant - Ozhekborr len=0 
' 0018     21 LABEL : Cell Value, String Constant - PccIEq len=0 
' 0018     20 LABEL : Cell Value, String Constant - TfYKh len=0 
' 0018     25 LABEL : Cell Value, String Constant - VjLCNGtiIp len=0 
' 0018     20 LABEL : Cell Value, String Constant - wqXUl len=0 
' 0018     27 LABEL : Cell Value, String Constant - WtQbwzyaaLPT len=0 
' 0018     23 LABEL : Cell Value, String Constant - XnZTLSqz len=0 
' 0018     25 LABEL : Cell Value, String Constant - ycmNtGsPXS len=0 
' 0018     24 LABEL : Cell Value, String Constant - zFskwvZzz len=0 
' 0018     20 LABEL : Cell Value, String Constant - ZKshO len=0 
' 0018     25 LABEL : Cell Value, String Constant - ZsuYROfbxY len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' mFEYwgrRdEp,B182,"SET.NAME("bdSmqoKG",0+INT(FALSE))",""
' mFEYwgrRdEp,B184,"SET.NAME("ZKshO",bdSmqoKG)",""
' mFEYwgrRdEp,B187,"SET.NAME("Ozhekborr",bdSmqoKG)",""
' mFEYwgrRdEp,B192,"SET.NAME("eirNUHxnGslI",ROWS(dVVyrGmQRiq))",""
' mFEYwgrRdEp,B196,"SET.NAME("FYoNvovc",ROWS(arxMTaBqa))",""
' mFEYwgrRdEp,B201,ZKshO,""
' mFEYwgrRdEp,B203,"SET.NAME("awzJAxueX","")",""
' mFEYwgrRdEp,B208,"ZKshO",""
' mFEYwgrRdEp,B210,"['"WtQbwzyaaLPT"', 'dVVyrGmQRiq']",""
' mFEYwgrRdEp,B215,"TfYKh",""
' mFEYwgrRdEp,B217,"SET.NAME("cQfjmYlf",bdSmqoKG)",""
' mFEYwgrRdEp,B222,[],""
' mFEYwgrRdEp,B226,"cQfjmYlf",""
' mFEYwgrRdEp,B229,"zFskwvZzz",""
' mFEYwgrRdEp,B231,"AgcMu",""
' mFEYwgrRdEp,B236,"adoJHChQH",""
' mFEYwgrRdEp,B241,"['"IjLownRAj"', 'arxMTaBqa']",""
' mFEYwgrRdEp,B243,"VjLCNGtiIp",""
' mFEYwgrRdEp,B247,"awzJAxueX",""
' mFEYwgrRdEp,B252,"Ozhekborr",""
' mFEYwgrRdEp,B257,NEXT(),""
' mFEYwgrRdEp,B260,"LtnUKGTXw",""
' mFEYwgrRdEp,B263,[],""
' mFEYwgrRdEp,B265,"oibHvmnvll",""
' mFEYwgrRdEp,B270,NEXT(),""
' mFEYwgrRdEp,B273,RETURN(),""
' mFEYwgrRdEp,B278,"SET.NAME("PccIEq",APP.MAXIMIZE())",""
' mFEYwgrRdEp,B280,"SET.NAME("mvAJyHR",GET.WORKSPACE(13)>770)",""
' mFEYwgrRdEp,B282,"SET.NAME("wqXUl",GET.WORKSPACE(14)>390)",""
' mFEYwgrRdEp,B284,"SET.NAME("ycmNtGsPXS",GET.WORKSPACE(42))",""
' mFEYwgrRdEp,B286,"SET.NAME("bvaBikjdsU",GET.WORKSPACE(31)=FALSE)",""
' mFEYwgrRdEp,B288,"SET.NAME("XnZTLSqz",GET.WORKSPACE(19))",""
' mFEYwgrRdEp,B290,"IF(AND(PccIEq,mvAJyHR,wqXUl,ycmNtGsPXS,bvaBikjdsU,XnZTLSqz),,HALT())",""
' mFEYwgrRdEp,B295,"SET.NAME("ZsuYROfbxY",B182)",""
' mFEYwgrRdEp,B299,"SET.NAME("dVVyrGmQRiq",R683C7)",""
' mFEYwgrRdEp,B303,"SET.NAME("arxMTaBqa",R1606C2)",""
' mFEYwgrRdEp,B307,"SET.NAME("oibHvmnvll",316)",""
' mFEYwgrRdEp,B311,"SET.NAME("OuSZdjgXYjli",2)",""
' mFEYwgrRdEp,B315,ZsuYROfbxY(),""
' mFEYwgrRdEp,B367,"SET.NAME("dVVyrGmQRiq",R1133C5)",""
' mFEYwgrRdEp,B369,"SET.NAME("arxMTaBqa",R1812C6)",""
' mFEYwgrRdEp,B374,"SET.NAME("oibHvmnvll",380)",""
' mFEYwgrRdEp,B376,"SET.NAME("OuSZdjgXYjli",2)",""
' mFEYwgrRdEp,B379,ZsuYROfbxY(),""
' mFEYwgrRdEp,B431,HALT(),""
' mFEYwgrRdEp,B1606,"",100.00000000000000000000
' mFEYwgrRdEp,B1607,"",110.00000000000000000000
' mFEYwgrRdEp,B1608,"",99.00000000000000000000
' mFEYwgrRdEp,B1609,"",110.00000000000000000000
' mFEYwgrRdEp,B1610,"",125.00000000000000000000
' mFEYwgrRdEp,B1611,"",127.00000000000000000000
' mFEYwgrRdEp,B1612,"",116.00000000000000000000
' mFEYwgrRdEp,B1613,"",131.00000000000000000000
' mFEYwgrRdEp,B1614,"",130.00000000000000000000
' mFEYwgrRdEp,B1615,"",103.00000000000000000000
' mFEYwgrRdEp,F1812,"",-498.00000000000000000000
' mFEYwgrRdEp,F1813,"",-80.00000000000000000000
' mFEYwgrRdEp,F1814,"",-731.00000000000000000000
' mFEYwgrRdEp,F1815,"",802.00000000000000000000
' mFEYwgrRdEp,F1816,"",695.00000000000000000000
' mFEYwgrRdEp,F1817,"",502.00000000000000000000
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Auto_Open           |Runs when the Excel Workbook is opened       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

But mraptor consideres the file as not having suspicious macros:

$ mraptor doc_8650.xls 
MacroRaptor 0.56 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
Macro OK  |A--  |OLE:|doc_8650.xls                                            

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 2 - Macro OK

Expected behavior The expected behaviour would be for mraptor to consider the macro as suspicious.

Version information:

Additional context Report in VT https://www.virustotal.com/gui/file/486ac850901637cb0b0d80497df8c36ff9a83b1ba018bd6af635c93346d6f200/detection

decalage2 commented 3 years ago

Thanks a lot for reporting this. MRaptor is designed to analyse VBA macros, but XLM macros are quite different and cannot always be detected as malicious because they can be obfuscated more than VBA (emulation is often required to really see what it does). I'll have a look if this XLM macro contains other keywords that could be detected by mraptor, but for now I don't see any in the output above.