Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Unexpected token #55

Open
johnmccash opened this issue Aug 4, 2020 · 1 comment
Open

Error: Unexpected token #55

johnmccash opened this issue Aug 4, 2020 · 1 comment
Assignees
@DissectMalware
Labels
bug Something isn't working

Comments

@johnmccash
Copy link

When analyzing a malicious document with version 0.1.4, analysis proceeds until...
.
.
.
CELL:FE2492 , FullEvaluation , "=SET.VALUE(R17C1,0)"
CELL:FE2493 , FullEvaluation , FORMULA("=SET.VALUE(R17C1,0)",$A$35)
CELL:FE2494 , FullEvaluation , "="
CELL:FE2495 , FullEvaluation , "H"
CELL:FE2496 , FullEvaluation , "A"
CELL:FE2497 , FullEvaluation , "L"
CELL:FE2498 , FullEvaluation , "T"
CELL:FE2499 , FullEvaluation , "("
CELL:FE2500 , FullEvaluation , ")"
CELL:FE2501 , FullEvaluation , "=HALT()"
CELL:FE2502 , FullEvaluation , FORMULA("=HALT()",$A$36)
CELL:FE2503 , FullEvaluation , GOTO($A$1)
CELL:A1 , FullEvaluation , REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
CELL:A2 , FullEvaluation , REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
CELL:A3 , FullEvaluation , REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
Error: Unexpected token Token(NUMBER, '6') at line 1, column 63.
Expected one of:
* MULTIOP
* R_PRA
* CONCATOP
* ADDITIVEOP
* LIST_SEPARATOR
* CMPOP
* COLON

[END of Deobfuscation]
time elapsed: 4.017183065414429

If I load the dev version, I get a different error:

[Loading Cells]
[Starting Deobfuscation]
There is no entry point, please specify a cell address to start
Example: Sheet1!A1

but if I then give it the first cell of the document from the previous analysis, it seems to proceed through to the end, so not sure if this bug is already fixed or not. If you need the file that causes the issue, I can email, but need an address to send it to.

I have a 2nd file that throws the following error for 0.1.4:

[Loading Cells]
auto_open: auto_open->qUKYONz;!$A$1
[Starting Deobfuscation]
CELL:A1 , PartialEvaluation , ACTIVATE("qUKYONz;")
Error: 'XLMInterpreter' object has no attribute 'parse_cell_address'
[END of Deobfuscation]
time elapsed: 0.33858323097229004

and for the dev version, proceeds through for a while and then throws:

CELL:A12 , FullEvaluation , NEXT
CELL:A8 , FullEvaluation , WHILE($C$6=0.0) -> [False]
CELL:A13 , PartialEvaluation , qUKYONz;!$F$1("=REGISTER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)")
Error [deobfuscator.py:1592 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(COLON, ':') at line 1, column 30.
Expected one of:
* ADDITIVEOP
* $END
* R_PRA
* CMPOP
* LIST_SEPARATOR
* CONCATOP
* MULTIOP

Files:

[END of Deobfuscation]
time elapsed: 0.49591684341430664

This file, I can also email if you send me an address.

Thanks
John
@DissectMalware
Copy link
Owner

Can you give me the hash? if it is available on VirusTotal, can you upload it somewhere and send me the link via DM on Twitter (https://twitter.com/DissectMalware)?

@DissectMalware DissectMalware added the bug Something isn't working label Aug 16, 2020
@DissectMalware DissectMalware self-assigned this Aug 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DissectMalware DissectMalware

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johnmccash @DissectMalware