search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.89k stars 565 forks source link

XLM not detected in XLSX (OOXML) #754

Open randubin opened 2 years ago

randubin commented 2 years ago

Affected tool: olevba, oleid, etc

Describe the bug A clear and concise description of what the bug is. OLEVBA/OLEID do not detect XLM macro. File/Malware sample to reproduce the bug https://bazaar.abuse.ch/sample/fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840/

How To Reproduce the bug xlmdeobfuscator --defined-names -f fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

      _        _______

|\ /|( \ ( ) ( \ / )| ( | () () | \ () / | | | || || | ) ( | | | |(_)| | / ( ) \ | | | | | | ( / \ )| (_/| ) ( | |/ |(____/|/ |

( \ ( __ ( )( \ ( |\ /|( ( __ ( _ )\ _/( )( __ ) | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )| | | ) || ( | | | || (/ / | ( | | | || (__ | | | () | | | | | | || (__)| | | | || ) | | | || ( | ) | | | |(__ )| | | | | | | | | || ) | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ ( | (/ )| (__/| (__) || )) )| ) | () |/__) || (__/| ) ( | | | | () || ) \ _ (__/ (__/(____)|/ \/ |/ ()\)(___/|/ | )_( (___)|/ __/

XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx

Unencrypted document or unsupported file format Unencrypted xlsb file

[Loading Cells] auto_open: auto_open->LKGEEV!$D$1 [Defined Names] _xlfn.arabic --> ('_xlfn.arabic', '#NAME?') qqdq --> ('qqdq', 'LKGEEV!$D$10') qqdq1 --> ('qqdq1', 'LKGEEV!$D$12') qqdq2 --> ('qqdq2', 'LKGEEV!$D$14') qqdq3 --> ('qqdq3', 'LKGEEV!$D$16') qqdq4 --> ('qqdq4', 'LKGEEV!$D$18') qqdq5 --> ('qqdq5', 'LKGEEV!$D$20') qqdq6 --> ('qqdq6', 'LKGEEV!$D$22') qqdq7 --> ('qqdq7', 'LKGEEV!$D$28') auto_open --> ('auto_open', 'LKGEEV!$D$1') [Starting Deobfuscation] CELL:D7 , FullEvaluation , "True" CELL:D10 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\Bduc",0) Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'JJCCBB') at line 1, column 37. Expected one of:

OLEVBA: olevba -l debug fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) olevba 0.60.1.dev6 on Python 3.8.8 - http://decalage.info/python/oletools DEBUG ftguess: file type=OpenXML file - container=OpenXML INFO Opening ZIP/OpenXML file fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx DEBUG OpenXML subfile [Content_Types].xml DEBUG OpenXML subfile _rels/.rels DEBUG OpenXML subfile xl/_rels/workbook.bin.rels DEBUG OpenXML subfile xl/workbook.bin DEBUG OpenXML subfile xl/worksheets/sheet1.bin DEBUG OpenXML subfile xl/worksheets/sheet2.bin DEBUG OpenXML subfile xl/worksheets/sheet3.bin DEBUG OpenXML subfile xl/worksheets/sheet4.bin DEBUG OpenXML subfile xl/macrosheets/intlsheet1.bin DEBUG OpenXML subfile xl/macrosheets/sheet1.bin DEBUG OpenXML subfile xl/macrosheets/sheet2.bin DEBUG OpenXML subfile xl/theme/theme1.xml DEBUG OpenXML subfile xl/media/image1.png DEBUG OpenXML subfile xl/styles.bin DEBUG OpenXML subfile xl/drawings/drawing1.xml DEBUG OpenXML subfile xl/worksheets/_rels/sheet1.bin.rels DEBUG OpenXML subfile xl/worksheets/_rels/sheet2.bin.rels DEBUG OpenXML subfile xl/worksheets/_rels/sheet3.bin.rels DEBUG OpenXML subfile xl/worksheets/_rels/sheet4.bin.rels DEBUG OpenXML subfile xl/macrosheets/_rels/intlsheet1.bin.rels DEBUG OpenXML subfile xl/macrosheets/_rels/sheet1.bin.rels DEBUG OpenXML subfile xl/macrosheets/_rels/sheet2.bin.rels DEBUG OpenXML subfile xl/drawings/_rels/drawing1.xml.rels DEBUG OpenXML subfile xl/sharedStrings.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex1.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex2.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex3.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex4.bin DEBUG OpenXML subfile xl/macrosheets/binaryIndex1.bin DEBUG OpenXML subfile xl/macrosheets/binaryIndex2.bin DEBUG OpenXML subfile xl/macrosheets/binaryIndex3.bin DEBUG OpenXML subfile xl/printerSettings/printerSettings1.bin DEBUG OpenXML subfile xl/printerSettings/printerSettings2.bin DEBUG OpenXML subfile xl/calcChain.bin DEBUG OpenXML subfile docProps/core.xml DEBUG OpenXML subfile docProps/app.xml

FILE: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx Type: OpenXML DEBUG detect vba macros DEBUG detect xlm macros No VBA or XLM macros found.

DEBUG Checking for encryption (normal) DEBUG Checking for encryption using msoffcrypto INFO msoffcrypto failed to parse file or determine whether it is encrypted: Unencrypted document or unsupported file format DEBUG Checking for encryption in zip file DEBUG no encryption detected DEBUG will exit now with code 0

Expected behavior A clear and concise description of what you expected to happen.

Console output / Screenshots If applicable, add screenshots to help explain your problem. Use the option "-l debug" to add debugging information, if possible.

Version information:

Additional context Maybe related to this one: https://github.com/DissectMalware/XLMMacroDeobfuscator/issues/108