DissectMalware/XLMMacroDeobfuscator

Error: Unexpected token

johnmccash opened this issue · 1 comments

When analyzing a malicious document with version 0.1.4, analysis proceeds until...
.
.
.
CELL:FE2492 , FullEvaluation , "=SET.VALUE(R17C1,0)"
CELL:FE2493 , FullEvaluation , FORMULA("=SET.VALUE(R17C1,0)",$A$35)
CELL:FE2494 , FullEvaluation , "="
CELL:FE2495 , FullEvaluation , "H"
CELL:FE2496 , FullEvaluation , "A"
CELL:FE2497 , FullEvaluation , "L"
CELL:FE2498 , FullEvaluation , "T"
CELL:FE2499 , FullEvaluation , "("
CELL:FE2500 , FullEvaluation , ")"
CELL:FE2501 , FullEvaluation , "=HALT()"
CELL:FE2502 , FullEvaluation , FORMULA("=HALT()",$A$36)
CELL:FE2503 , FullEvaluation , GOTO($A$1)
CELL:A1 , FullEvaluation , REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
CELL:A2 , FullEvaluation , REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
CELL:A3 , FullEvaluation , REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
Error: Unexpected token Token(NUMBER, '6') at line 1, column 63.
Expected one of:
* MULTIOP
* R_PRA
* CONCATOP
* ADDITIVEOP
* LIST_SEPARATOR
* CMPOP
* COLON

[END of Deobfuscation]
time elapsed: 4.017183065414429

If I load the dev version, I get a different error:

[Loading Cells]
[Starting Deobfuscation]
There is no entry point, please specify a cell address to start
Example: Sheet1!A1

but if I then give it the first cell of the document from the previous analysis, it seems to proceed through to the end, so not sure if this bug is already fixed or not. If you need the file that causes the issue, I can email, but need an address to send it to.

I have a 2nd file that throws the following error for 0.1.4:

[Loading Cells]
auto_open: auto_open->qUKYONz;!$A$1
[Starting Deobfuscation]
CELL:A1 , PartialEvaluation , ACTIVATE("qUKYONz;")
Error: 'XLMInterpreter' object has no attribute 'parse_cell_address'
[END of Deobfuscation]
time elapsed: 0.33858323097229004

and for the dev version, proceeds through for a while and then throws:

CELL:A12 , FullEvaluation , NEXT
CELL:A8 , FullEvaluation , WHILE($C$6=0.0) -> [False]
CELL:A13 , PartialEvaluation , qUKYONz;!$F$1("=REGISTER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)")
Error [deobfuscator.py:1592 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(COLON, ':') at line 1, column 30.
Expected one of:
* ADDITIVEOP
* $END
* R_PRA
* CMPOP
* LIST_SEPARATOR
* CONCATOP
* MULTIOP

Files:

[END of Deobfuscation]
time elapsed: 0.49591684341430664

This file, I can also email if you send me an address.

Thanks
John

Can you give me the hash? if it is available on VirusTotal, can you upload it somewhere and send me the link via DM on Twitter (https://twitter.com/DissectMalware)?