oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
How To Reproduce the bug
xlmdeobfuscator --defined-names -f fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
FILE: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
Type: OpenXML
DEBUG detect vba macros
DEBUG detect xlm macros
No VBA or XLM macros found.
DEBUG Checking for encryption (normal)
DEBUG Checking for encryption using msoffcrypto
INFO msoffcrypto failed to parse file or determine whether it is encrypted: Unencrypted document or unsupported file format
DEBUG Checking for encryption in zip file
DEBUG no encryption detected
DEBUG will exit now with code 0
Expected behavior
A clear and concise description of what you expected to happen.
Console output / Screenshots
If applicable, add screenshots to help explain your problem.
Use the option "-l debug" to add debugging information, if possible.
Affected tool: olevba, oleid, etc
Describe the bug A clear and concise description of what the bug is. OLEVBA/OLEID do not detect XLM macro. File/Malware sample to reproduce the bug https://bazaar.abuse.ch/sample/fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840/
How To Reproduce the bug xlmdeobfuscator --defined-names -f fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
|\ /|( \ ( ) ( \ / )| ( | () () | \ () / | | | || || | ) ( | | | |(_)| | / ( ) \ | | | | | | ( / \ )| (_/| ) ( | |/ |(____/|/ |
( \ ( __ ( )( \ ( |\ /|( ( __ ( _ )\ _/( )( __ ) | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )| | | ) || ( | | | || (/ / | ( | | | || (__ | | | () | | | | | | || (__)| | | | || ) | | | || ( | ) | | | |(__ )| | | | | | | | | || ) | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ ( | (/ )| (__/| (__) || )) )| ) | () |/__) || (__/| ) ( | | | | () || ) \ _ (__/ (__/(____)|/ \/ |/ ()\)(___/|/ | )_( (___)|/ __/
XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator
File: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
Unencrypted document or unsupported file format Unencrypted xlsb file
[Loading Cells] auto_open: auto_open->LKGEEV!$D$1 [Defined Names] _xlfn.arabic --> ('_xlfn.arabic', '#NAME?') qqdq --> ('qqdq', 'LKGEEV!$D$10') qqdq1 --> ('qqdq1', 'LKGEEV!$D$12') qqdq2 --> ('qqdq2', 'LKGEEV!$D$14') qqdq3 --> ('qqdq3', 'LKGEEV!$D$16') qqdq4 --> ('qqdq4', 'LKGEEV!$D$18') qqdq5 --> ('qqdq5', 'LKGEEV!$D$20') qqdq6 --> ('qqdq6', 'LKGEEV!$D$22') qqdq7 --> ('qqdq7', 'LKGEEV!$D$28') auto_open --> ('auto_open', 'LKGEEV!$D$1') [Starting Deobfuscation] CELL:D7 , FullEvaluation , "True" CELL:D10 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\Bduc",0) Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'JJCCBB') at line 1, column 37. Expected one of:
OLEVBA: olevba -l debug fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) olevba 0.60.1.dev6 on Python 3.8.8 - http://decalage.info/python/oletools DEBUG ftguess: file type=OpenXML file - container=OpenXML INFO Opening ZIP/OpenXML file fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx DEBUG OpenXML subfile [Content_Types].xml DEBUG OpenXML subfile _rels/.rels DEBUG OpenXML subfile xl/_rels/workbook.bin.rels DEBUG OpenXML subfile xl/workbook.bin DEBUG OpenXML subfile xl/worksheets/sheet1.bin DEBUG OpenXML subfile xl/worksheets/sheet2.bin DEBUG OpenXML subfile xl/worksheets/sheet3.bin DEBUG OpenXML subfile xl/worksheets/sheet4.bin DEBUG OpenXML subfile xl/macrosheets/intlsheet1.bin DEBUG OpenXML subfile xl/macrosheets/sheet1.bin DEBUG OpenXML subfile xl/macrosheets/sheet2.bin DEBUG OpenXML subfile xl/theme/theme1.xml DEBUG OpenXML subfile xl/media/image1.png DEBUG OpenXML subfile xl/styles.bin DEBUG OpenXML subfile xl/drawings/drawing1.xml DEBUG OpenXML subfile xl/worksheets/_rels/sheet1.bin.rels DEBUG OpenXML subfile xl/worksheets/_rels/sheet2.bin.rels DEBUG OpenXML subfile xl/worksheets/_rels/sheet3.bin.rels DEBUG OpenXML subfile xl/worksheets/_rels/sheet4.bin.rels DEBUG OpenXML subfile xl/macrosheets/_rels/intlsheet1.bin.rels DEBUG OpenXML subfile xl/macrosheets/_rels/sheet1.bin.rels DEBUG OpenXML subfile xl/macrosheets/_rels/sheet2.bin.rels DEBUG OpenXML subfile xl/drawings/_rels/drawing1.xml.rels DEBUG OpenXML subfile xl/sharedStrings.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex1.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex2.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex3.bin DEBUG OpenXML subfile xl/worksheets/binaryIndex4.bin DEBUG OpenXML subfile xl/macrosheets/binaryIndex1.bin DEBUG OpenXML subfile xl/macrosheets/binaryIndex2.bin DEBUG OpenXML subfile xl/macrosheets/binaryIndex3.bin DEBUG OpenXML subfile xl/printerSettings/printerSettings1.bin DEBUG OpenXML subfile xl/printerSettings/printerSettings2.bin DEBUG OpenXML subfile xl/calcChain.bin DEBUG OpenXML subfile docProps/core.xml DEBUG OpenXML subfile docProps/app.xml
FILE: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx Type: OpenXML DEBUG detect vba macros DEBUG detect xlm macros No VBA or XLM macros found.
DEBUG Checking for encryption (normal) DEBUG Checking for encryption using msoffcrypto INFO msoffcrypto failed to parse file or determine whether it is encrypted: Unencrypted document or unsupported file format DEBUG Checking for encryption in zip file DEBUG no encryption detected DEBUG will exit now with code 0
Expected behavior A clear and concise description of what you expected to happen.
Console output / Screenshots If applicable, add screenshots to help explain your problem. Use the option "-l debug" to add debugging information, if possible.
Version information:
Additional context Maybe related to this one: https://github.com/DissectMalware/XLMMacroDeobfuscator/issues/108