XLM not detected in XLSX (OOXML)

[randubin]

Affected tool:
olevba, oleid, etc

Describe the bug
A clear and concise description of what the bug is.
OLEVBA/OLEID do not detect XLM macro.
File/Malware sample to reproduce the bug
https://bazaar.abuse.ch/sample/fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840/

How To Reproduce the bug
xlmdeobfuscator --defined-names -f fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

      _        _______

|\ /|( \ ( )
( \ / )| ( | () () |
\ () / | | | || || |
) _ ( | | | |()| |
/ ( ) \ | | | | | |
( / \ )| (/| ) ( |
|/ |(___/|/ |

---

( __ \ ( ____ ( ___ )( ___ \ ( ____ |\ /|( ____ ( ____ ( ___ )__ /( ___ )( ____ )
| ( \ )| ( /| ( ) || ( ) )| ( /| ) ( || ( /| ( /| ( ) | ) ( | ( ) || ( )|
| | ) || ( | | | || (/ / | ( | | | || (_____ | | | () | | | | | | || ()|
| | | || ) | | | || __ ( | ) | | | |(_ )| | | ___ | | | | | | || )
| | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ (
| (/ )| (/| () || )) )| ) | () |/_) || (/| ) ( | | | | () || ) \ _
(/ (/()|/ ___/ |/ ()_)(/|/ | )( (____)|/ _/

XLMMacroDeobfuscator(v0.2.5) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx

Unencrypted document or unsupported file format
Unencrypted xlsb file

[Loading Cells]
auto_open: auto_open->LKGEEV!$D$1
[Defined Names]
_xlfn.arabic --> ('_xlfn.arabic', '#NAME?')
qqdq --> ('qqdq', 'LKGEEV!$D$10')
qqdq1 --> ('qqdq1', 'LKGEEV!$D$12')
qqdq2 --> ('qqdq2', 'LKGEEV!$D$14')
qqdq3 --> ('qqdq3', 'LKGEEV!$D$16')
qqdq4 --> ('qqdq4', 'LKGEEV!$D$18')
qqdq5 --> ('qqdq5', 'LKGEEV!$D$20')
qqdq6 --> ('qqdq6', 'LKGEEV!$D$22')
qqdq7 --> ('qqdq7', 'LKGEEV!$D$28')
auto_open --> ('auto_open', 'LKGEEV!$D$1')
[Starting Deobfuscation]
CELL:D7 , FullEvaluation , "True"
CELL:D10 , FullEvaluation , CALL("Kernel32","CreateDirectoryA","JCJ","C:\Bduc",0)
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'JJCCBB') at line 1, column 37.
Expected one of:
* L_PRA
* CONCATOP
* ADDITIVEOP
* CMPOP
* R_PRA
* MULTIOP
* LIST_SEPARATOR
Previous tokens: [Token('STRING', '"URLDownloadToFileA,"')]

OLEVBA:
olevba -l debug fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)
olevba 0.60.1.dev6 on Python 3.8.8 - http://decalage.info/python/oletools
DEBUG ftguess: file type=OpenXML file - container=OpenXML
INFO Opening ZIP/OpenXML file fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
DEBUG OpenXML subfile [Content_Types].xml
DEBUG OpenXML subfile _rels/.rels
DEBUG OpenXML subfile xl/_rels/workbook.bin.rels
DEBUG OpenXML subfile xl/workbook.bin
DEBUG OpenXML subfile xl/worksheets/sheet1.bin
DEBUG OpenXML subfile xl/worksheets/sheet2.bin
DEBUG OpenXML subfile xl/worksheets/sheet3.bin
DEBUG OpenXML subfile xl/worksheets/sheet4.bin
DEBUG OpenXML subfile xl/macrosheets/intlsheet1.bin
DEBUG OpenXML subfile xl/macrosheets/sheet1.bin
DEBUG OpenXML subfile xl/macrosheets/sheet2.bin
DEBUG OpenXML subfile xl/theme/theme1.xml
DEBUG OpenXML subfile xl/media/image1.png
DEBUG OpenXML subfile xl/styles.bin
DEBUG OpenXML subfile xl/drawings/drawing1.xml
DEBUG OpenXML subfile xl/worksheets/_rels/sheet1.bin.rels
DEBUG OpenXML subfile xl/worksheets/_rels/sheet2.bin.rels
DEBUG OpenXML subfile xl/worksheets/_rels/sheet3.bin.rels
DEBUG OpenXML subfile xl/worksheets/_rels/sheet4.bin.rels
DEBUG OpenXML subfile xl/macrosheets/_rels/intlsheet1.bin.rels
DEBUG OpenXML subfile xl/macrosheets/_rels/sheet1.bin.rels
DEBUG OpenXML subfile xl/macrosheets/_rels/sheet2.bin.rels
DEBUG OpenXML subfile xl/drawings/_rels/drawing1.xml.rels
DEBUG OpenXML subfile xl/sharedStrings.bin
DEBUG OpenXML subfile xl/worksheets/binaryIndex1.bin
DEBUG OpenXML subfile xl/worksheets/binaryIndex2.bin
DEBUG OpenXML subfile xl/worksheets/binaryIndex3.bin
DEBUG OpenXML subfile xl/worksheets/binaryIndex4.bin
DEBUG OpenXML subfile xl/macrosheets/binaryIndex1.bin
DEBUG OpenXML subfile xl/macrosheets/binaryIndex2.bin
DEBUG OpenXML subfile xl/macrosheets/binaryIndex3.bin
DEBUG OpenXML subfile xl/printerSettings/printerSettings1.bin
DEBUG OpenXML subfile xl/printerSettings/printerSettings2.bin
DEBUG OpenXML subfile xl/calcChain.bin
DEBUG OpenXML subfile docProps/core.xml
DEBUG OpenXML subfile docProps/app.xml

FILE: fd2715285ac147b7dd78ba66a184d1016af1d54f1be7a789f231a69143298840.xlsx
Type: OpenXML
DEBUG detect vba macros
DEBUG detect xlm macros
No VBA or XLM macros found.

DEBUG Checking for encryption (normal)
DEBUG Checking for encryption using msoffcrypto
INFO msoffcrypto failed to parse file or determine whether it is encrypted: Unencrypted document or unsupported file format
DEBUG Checking for encryption in zip file
DEBUG no encryption detected
DEBUG will exit now with code 0

Expected behavior
A clear and concise description of what you expected to happen.

Console output / Screenshots
If applicable, add screenshots to help explain your problem.
Use the option "-l debug" to add debugging information, if possible.

Version information:

• OS: /Mac/
• OS version: x.xx - 64 bits
• Python version: 3.8- 64 bits
• oletools version: 0.60.1.dev6

Additional context
Maybe related to this one: DissectMalware/XLMMacroDeobfuscator#108