Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: 'Token' object has no attribute 'data' #51

Open
malware-kitten opened this issue Jun 24, 2020 · 3 comments
Open

Bug: 'Token' object has no attribute 'data' #51

malware-kitten opened this issue Jun 24, 2020 · 3 comments
Assignees
@DissectMalware
Labels
bug Something isn't working

Comments

@malware-kitten
Copy link

Running the latest dev version (v0.1.5) pulled from Github, I encountered an error while processing the file e314ea8492fec8fb7349f966eab30ae0f8dfad22d08fe914a2d88e5056b9451f

Error [deobfuscator.py:1569 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'Token' object has no attribute 'data'

e314ea8492fec8fb7349f966eab30ae0f8dfad22d08fe914a2d88e5056b9451f.zip

Unencrypted xls file

[Loading Cells]
auto_open: auto_open->'AutoSave'!$B$4
[Starting Deobfuscation]
CELL:B5        , PartialEvaluation   , GET.CELL(32.0,B5)
CELL:B6        , FullEvaluation      , FALSE
CELL:B7        , FullEvaluation      , __LongName
CELL:B8        , PartialEvaluation   , GET.DOCUMENT(2,mco00s.MacroName)
CELL:B9        , FullEvaluation      , FALSE
CELL:B10       , FullBranching       , IF(LEFT(GET.WORKSPACE(1.0),3.0)="Win","","'")
CELL:B10       , FullEvaluation      , [TRUE] ""
CELL:B11       , FullBranching       ,  IF(LEFT(GET.WORKSPACE(1.0),3.0)="Win",SET.NAME("Win",TRUE),SET.NAME("Win",FALSE))
CELL:B11       , FullEvaluation      ,  [TRUE] SET.NAME(win,TRUE)
Error [deobfuscator.py:1569 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'Token' object has no attribute 'data'

Files:

[END of Deobfuscation]

Hopefully this helps track down a corner case.
@DissectMalware DissectMalware added the bug Something isn't working label Jun 24, 2020
@DissectMalware DissectMalware self-assigned this Jun 24, 2020
DissectMalware added a commit that referenced this issue Jun 24, 2020
@DissectMalware
FIX - MID function - address #51
3a5c2ca
DissectMalware added a commit that referenced this issue Jun 24, 2020
@DissectMalware
ADD - OFFSET - nested function - #51
2af8bd9
@DissectMalware
Copy link
Owner

Amazing instance, I added a few features to handle this instance. But still it needs more features to support this.

I am not sure whether this instance is malicious. If you have done a manual debugging, please let me know what you think about the sample.

@malware-kitten
Copy link
Author

I believe this document is benign, it was part of a testing repository that I was using for sanity checking some XLS Yara rules. I pulled the latest version and it appears that 2af8bd9 and 3a5c2ca did fix the issue. Thanks for the quick commits.

I can close the ticket if you'd like, or if you want to leave it open just let me know and I'm happy to action accordingly.

As I come across more edge cases I'll pass them over.

@DissectMalware
Copy link
Owner

Thanks for sharing the info.

The deobfuscator still cannot fully interpret this sample. So it is better to leave this issue open. I will gradually cover other functionalities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DissectMalware DissectMalware

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@malware-kitten @DissectMalware