xls_workbook.name_map does not contain static values

[stevengoossensB]

The xls_workbook.name_map contains the names for all values that are set when loading the document. However, only when the Operand type is oREF, the value is parsed correctly. I suppose this is an issue in the xlrd2 library already. Newer malware samples use these static defined values as a parameter for the execution of the macro (e.g. as a counter for a while loop).

E.g. Sample:
d6063921e36b12414d769eda7cf5715541d149e54168128ceeb800a05f9f2b3d
582e03fefa4da38ecedd2afc3625ed152f98854c986d95ca9b0aca8b7a3d260f

[DissectMalware]

This is fixed in the latest version of the xlmdeobfuscator and xlrd2.

Mainly in 2d19c55

d6063921e36b12414d769eda7cf5715541d149e54168128ceeb800a05f9f2b3d: