Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected Token #108

Closed
jhhcs opened this issue Mar 14, 2022 · 8 comments · Fixed by #110
Closed

Unexpected Token #108

jhhcs opened this issue Mar 14, 2022 · 8 comments · Fixed by #110

Comments

@jhhcs
Copy link

jhhcs commented Mar 14, 2022

This might be related to #101, and could be duplicate of #107 or #106; The following sample causes an unexpected token error with version 0.2.5 of XLMMacroDeobfuscator:

https://bazaar.abuse.ch/sample/218f8fb236a36cf6cfdd9b0f9544f98580ead944b1811744721eb22a7d1c9529/
@baderj
Copy link

baderj commented Mar 14, 2022

I think this could be related to #107. In my opinion, the problem is here:

=FORMULA(С1!C15,С2!F3)
         ^
Expected one of: 
        * ROW
        * /\$?([a-qs-z][a-z]?)\$?\d+\b|\$?(r[a-bd-z]?)\$?\d+\b(?!C)/i
        * STRING
        * BOOLEAN
        * LIST_SEPARATOR
        * ERROR
        * EXCLAMATION
        * LBRACE
        * NAME
        * QUOTE
        * NUMBER
        * L_PRA
        * R_PRA

C1 is a valid R1C1 cell reference. I think it is not valid to use that as a sheet name without quotes (so FORMULA('С1'!C15,'С2'!F3). At least when entering such Formulas, the quotes are automatically added.

But QBot also uses multiple FORMULA statements stringed together

=FORMULA()=FORMULA(Fe1!E14, Fe2!I4)=FORMULA()=FORMULA(Fe2!E17, Fe1!B4)=FORMULA(Vvfrb ....

so maybe Excel only uses the right most FORMULA and it does not matter that the rest contain invalid sheet names.

@kirk-sayre-work
Copy link

Here's another sample that fails on the same line of code with an unexpected token error:

https://bazaar.abuse.ch/sample/ffa61432d63f42221525dfbe252af32ec4b697e41b23cfa7ff23c97589b0463d/

Both of these samples are recent Emotet samples.

@randubin
Copy link

Quakbot similar problem I think:
https://bazaar.abuse.ch/sample/fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840/
CELL:D7 , FullEvaluation , "True"
CELL:D10 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\Bduc",0)
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'JJCCBB') at line 1, column 37.
Expected one of:
* R_PRA
* MULTIOP
* CMPOP
* LIST_SEPARATOR
* L_PRA
* ADDITIVEOP
* CONCATOP
Previous tokens: [Token('STRING', '"URLDownloadToFileA,"')]

@randubin randubin mentioned this issue Mar 22, 2022
Open
@pyvain
Copy link

pyvain commented Apr 15, 2022

Similar issue with this sample:
https://www.joesandbox.com/analysis/608746/0/html

Execution trace

CELL:H10       , FullEvaluation      , False
CELL:H13       , FullEvaluation      , CALL("Kernel32","CreateDirectoryA","JCJ","C:\Uduw",0)
Error [deobfuscator.py:2587 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'JJCCBB') at line 1, column 37.
Expected one of: 
	* MULTIOP
	* ADDITIVEOP
	* CMPOP
	* CONCATOP
	* R_PRA
	* L_PRA
	* LIST_SEPARATOR
Previous tokens: [Token('STRING', '"URLDownloadToFileA,"')]

Suspected issue

One of the cell values (namely cell Vehsrg!I16) which is concatenated to create part of the formula starts and ends with quotes. As shown in this screenshot after execution in Excel:
capture2

The value of this cell is itself the result of the execution of an other formula.

But for some reason I can't figure, the value seems to be unwrapped and quotes are lost when building the final formula:
capture

Thanks for your awesome tool 🙂

@pyvain pyvain mentioned this issue Apr 16, 2022
Merged
@baderj
Copy link

baderj commented May 9, 2022

The original issue with Unexpected Token is not fixed. Here is the output for the sample posted by jhhcs:

python3 deobfuscator.py --file 218f8fb236a36cf6cfdd9b0f9544f98580ead944b1811744721eb22a7d1c9529.xlsm
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

          _        _______
|\     /|( \      (       )
( \   / )| (      | () () |
 \ (_) / | |      | || || |
  ) _ (  | |      | |(_)| |
 / ( ) \ | |      | |   | |
( /   \ )| (____/\| )   ( |
|/     \|(_______/|/     \|
   ______   _______  _______  ______   _______           _______  _______  _______ _________ _______  _______
  (  __  \ (  ____ \(  ___  )(  ___ \ (  ____ \|\     /|(  ____ \(  ____ \(  ___  )\__   __/(  ___  )(  ____ )
  | (  \  )| (    \/| (   ) || (   ) )| (    \/| )   ( || (    \/| (    \/| (   ) |   ) (   | (   ) || (    )|
  | |   ) || (__    | |   | || (__/ / | (__    | |   | || (_____ | |      | (___) |   | |   | |   | || (____)|
  | |   | ||  __)   | |   | ||  __ (  |  __)   | |   | |(_____  )| |      |  ___  |   | |   | |   | ||     __)
  | |   ) || (      | |   | || (  \ \ | (      | |   | |      ) || |      | (   ) |   | |   | |   | || (\ (
  | (__/  )| (____/\| (___) || )___) )| )      | (___) |/\____) || (____/\| )   ( |   | |   | (___) || ) \ \__
  (______/ (_______/(_______)|/ \___/ |/       (_______)\_______)(_______/|/     \|   )_(   (_______)|/   \__/

    
XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: 218f8fb236a36cf6cfdd9b0f9544f98580ead944b1811744721eb22a7d1c9529.xlsm

Unencrypted document or unsupported file format
Unencrypted xlsm file

[Loading Cells]
auto_open: auto_open->PFEV!$B$1
[Starting Deobfuscation]
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', 'С1!C15,С2!F3)=FORMULA(Rvfs1!P22&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!F19&Rvfs3!N14&Rvfs3!E16,B7)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ1"&Rvfs3!N4&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!G21&Rvfs3!N14&Rvfs3!E16&Rvfs1!P13,B9)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ2"&Rvfs3!N4&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!H19&Rvfs3!N14&Rvfs3!E16&Rvfs1!P13,B11)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ3"&Rvfs3!N4&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!I21&Rvfs3!N14&Rvfs3!E16&Rvfs1!P13,B13)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ4"&Rvfs3!N4&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!J19&Rvfs3!N14&Rvfs3!E16&Rvfs1!P13,B15)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ5"&Rvfs3!N4&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!K21&Rvfs3!N14&Rvfs3!E16&Rvfs1!P13,B17)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ6"&Rvfs3!N4&Rvfs1!H9&Rvfs1!L2&Rvfs1!B15&Rvfs1!B15&Rvfs2!C7&Rvfs2!D11&Rvfs2!E3&С2!F3&Rvfs1!L2&Rvfs2!G5&Rvfs2!I9&Rvfs2!L19&Rvfs3!N14&Rvfs3!E16&Rvfs1!P13,B19)=FORMULA(Rvfs1!P22&Rvfs1!J11&Rvfs1!B18&Rvfs1!P11&"UDYQ7"&Rvfs3!N4&Rvfs1!H9&Rvfs1!B15&Rvfs1!I17&Rvfs1!I3&Rvfs1!H13&Rvfs1!P11&Rvfs1!K9&Rvfs1!P13&Rvfs1!P7&Rvfs1!P13,B21)=FORMULA(Rvfs1!P22&Rvfs1!H13&Rvfs1!N4&Rvfs1!H13&Rvfs1!H9&Rvfs1!P11&Rvfs1!P15&Rvfs1!H9&Rvfs1!P20&Rvfs3!D3&Rvfs3!J6&Rvfs3!F11&Rvfs3!P8&Rvfs3!B5&Rvfs1!P15&Rvfs1!P13,B23)=FORMULA(Rvfs1!P22&Rvfs1!F4&Rvfs1!H13&Rvfs1!E6&Rvfs1!E11&Rvfs1!F4&Rvfs1!K23&Rvfs1!P11&Rvfs1!P13,B31)') at line 1, column 10.
Expected one of: 
	* L_PRA
	* STRING
	* R_PRA
	* BOOLEAN
	* LBRACE
	* NUMBER
	* NAME
	* ROW
	* LIST_SEPARATOR
	* ERROR
	* /\$?([a-qs-z][a-z]?)\$?\d+\b|\$?(r[a-bd-z]?)\$?\d+\b(?!C)/i
	* EXCLAMATION
	* QUOTE
Previous tokens: [Token('L_PRA', '(')]


Files:

[END of Deobfuscation]

@DissectMalware DissectMalware reopened this May 9, 2022
@DissectMalware
Copy link
Owner

DissectMalware commented May 9, 2022
edited
Loading

Can confirm that the issue of using colname as sheetname still remains in xlsm.

This issue is fixed for xlsb format (#107)

@DissectMalware
Copy link
Owner

DissectMalware commented May 9, 2022
edited
Loading

Now it is fixed for xlsm format as well (90a58f4)

image

Please update xlmdeobfuscator from repo

@baderj
Copy link

baderj commented May 9, 2022

Can confirm that commit 90a58f4 works!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix missing wrapping in t_handler()
6 participants
@pyvain @baderj @randubin @DissectMalware @kirk-sayre-work @jhhcs