Bug: Unexpected token Token(__ANON_0, '())')

Question

Bug: Unexpected token Token(__ANON_0, '())')

malware-kitten opened this issue 4 years ago · 2 comments

When running the latest from git, the following bug appears when running against malware sample ffa75887740c235250a61413117bb2ee

mal.zip
Password: infected

Error [deobfuscator.py:1590 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(__ANON_0, '())') at line 1, column 34.

Here's an example of the full run

[Loading Cells]
auto_open: auto_open->'S'!$FP$36983
[Starting Deobfuscation]
CELL:FP36983   , FullEvaluation      , $II$43299()
CELL:II43299   , FullEvaluation      , SET.NAME(ywqifcx,)
CELL:II43300   , FullEvaluation      , SET.NAME(wcykn,$DS$34038)
CELL:II43301   , FullEvaluation      , SET.NAME(cxyisnqgz,$FE$53601)
CELL:II43302   , FullEvaluation      , WHILE(cxyISNqGZ<>"HVDUGKk") -> [True]
CELL:II43303   , FullEvaluation      ,  SET.NAME(ocxnescllxklh,cxyISNqGZ)
Error [deobfuscator.py:1590 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(__ANON_0, '())') at line 1, column 34.
Expected one of: 
        * LIST_SEPARATOR
        * CONCATOP
        * CMPOP
        * R_PRA
        * ADDITIVEOP
        * MULTIOP


Files:

[END of Deobfuscation]
time elapsed: 0.6967053413391113

When running in excel the sample will reach out to:

http://81.16.141[.]208/F3gbNM

Answer 1 · 2020-06-26T20:38:57.000Z

Other similar samples:

27814e7df19b2b3165fd93b8148b22eaafc78cff4f649d16bacf9ba5d2f943f1
77d7cb65a982b20a8176c1f72f897e50a81a8c1fff0837afecda20b9bb1ba843
2fbae9bcd3d74139090c83eae09e7322c7d16b73aee8e648af1984b37552132d

Answer 2 · 2020-09-28T05:55:17.000Z

I encounter similar error for following sample too.
3a8ee8980c991b40e77d3d7f2b9041a1