Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XLM4 is not detected #741

Open
randubin opened this issue Feb 22, 2022 · 2 comments
Open

XLM4 is not detected #741

randubin opened this issue Feb 22, 2022 · 2 comments
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.60

Comments

@randubin
Copy link

Affected tool:
olevba,oleid

Describe the bug
XLM4 exists in the file, but oletools do not detect it.

File/Malware sample to reproduce the bug
https://bazaar.abuse.ch/sample/306433cdeddadf922a7849ab12431fbdb1f1f7f23dc4de1c2e378dcf9a05ca8a/
How To Reproduce the bug
Tested on pyton 3.8 oletools 0.60.1.dev6
Expected behavior
XLM 4 detected.
Console output / Screenshots
image

Version information:

  • OS: Mac
  • OS version: x.xx - 64 bits
  • Python version: 2.8 -64 bits
  • oletools version: 0.60.1.dev6
@decalage2
Copy link
Owner

Hi @randubin, this looks similar to #728: could you please update oletools with the following command and tell me if it works?

pip install -U oletools[full]

This will install XLMMacroDeobfuscator, which is now used to detect and extract XLM macros. By default XLMMacroDeobfuscator is not installed by pip. You can also install it separately (see https://github.com/DissectMalware/XLMMacroDeobfuscator).

@decalage2 decalage2 self-assigned this Feb 22, 2022
@decalage2 decalage2 added this to the oletools 0.60 milestone Feb 22, 2022
@randubin
Copy link
Author

randubin commented Feb 22, 2022
edited by decalage2
Loading

Thanks for the fast response!.

What is [full]? I tried to update from git or from pip and got the same result. [Made sure that I have the latest version for XLMMacroDeobfuscator pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip
]

 XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1.dev6 on Python 3.8.8 - http://decalage.info/python/oletools
===============================================================================
FILE: 5f034563d28cfcb02445fc33f0da4be.xlsb
Type: OpenXML
No VBA or XLM macros found.

When I run: XLMMacroDeobfuscator directly

XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File:05f034563d28cfcb02445fc33f0da4be.xlsb

Unencrypted document or unsupported file format
Unencrypted xlsb file

[Loading Cells]
auto_open: auto_open->LLELFLLEF!$E$1
[Starting Deobfuscation]
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', '!C12, Bt2!B17)=FORMULA(Bt2!G6, Bt1!I3)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!D7&Bt1!I3&Sbrrrrww1!B15&Bt1!I3&Sbrrrrww1!E2&Bt1!I3&Sbrrrrww1!F13&Bt1!I3&Sbrrrrww1!G5&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!F24&Sbrrrrww1!R2, E14)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!G19&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!N7&Sbrrrrww1!T6&Fefwq1!L31, E16)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!N7&Fefwq1!L31, E18)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!H21&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!S15&Sbrrrrww1!T6&Fefwq1!L31, E20)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!S15&Fefwq1!L31, E22)=FORMULA(Fefwq1!L24&Fefwq1!L26&Fefwq1!L27&Fefwq1!L28&Fefwq1!L28&Sbrrrrww1!C10&Bt1!I3&Sbrrrrww1!H8&Fefwq1!R17&Fefwq1!I3&Fefwq1!B11&Fefwq1!E2&Fefwq1!R17&Fefwq1!T9&Fefwq1!M8&Fefwq1!T4&Fefwq1!R17&Sbrrrrww1!P13&Bt2!B17&Sbrrrrww1!J12&Sbrrrrww1!M4&Sbrrrrww1!N11&Sbrrrrww1!I18&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!A5&Sbrrrrww1!T6&Fefwq1!L31, E24)=FORMULA(Fefwq1!L24&Fefwq1!G8&Fefwq1!F4&Fefwq1!G8&Fefwq1!O3&Fefwq1!L30&Fefwq1!F24&Bt1!I3&Fefwq1!F10&Fefwq1!C16&Fefwq1!O18&Fefwq1!B3&Fefwq1!A4&Fefwq1!Q1&Fefwq1!S5&Fefwq1!F28&Fefwq1!O3&Fefwq1!H24&Sbrrrrww1!J3&Fefwq1!H26&Sbrrrrww1!A5&Fefwq1!L31, E26)=FORMULA(Fefwq1!L24&Fefwq1!R27&Fefwq1!S30&Fefwq1!P25&Fefwq1!Q32&Fefwq1!R27&Fefwq1!S26&Fefwq1!L30&Fefwq1!L31, E36)') at line 1, column 23.
Expected one of: 
	* CMPOP
	* CONCATOP
	* COLON
	* ADDITIVEOP
	* LIST_SEPARATOR
	* R_PRA
	* MULTIOP
	* L_PRA
Previous tokens: [Token('__ANON_2', 'Bt1')]

Files:
[END of Deobfuscation]
time elapsed: 0.07923579216003418

@decalage2 decalage2 mentioned this issue Feb 22, 2022
Closed
@decalage2 decalage2 mentioned this issue Mar 12, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.60
Development

No branches or pull requests
2 participants
@decalage2 @randubin