-
-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: Unexpected token #55
Labels
bug
Something isn't working
Comments
Can you give me the hash? if it is available on VirusTotal, can you upload it somewhere and send me the link via DM on Twitter (https://twitter.com/DissectMalware)? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When analyzing a malicious document with version 0.1.4, analysis proceeds until...
.
.
.
CELL:FE2492 , FullEvaluation , "=SET.VALUE(R17C1,0)"
CELL:FE2493 , FullEvaluation , FORMULA("=SET.VALUE(R17C1,0)",$A$35)
CELL:FE2494 , FullEvaluation , "="
CELL:FE2495 , FullEvaluation , "H"
CELL:FE2496 , FullEvaluation , "A"
CELL:FE2497 , FullEvaluation , "L"
CELL:FE2498 , FullEvaluation , "T"
CELL:FE2499 , FullEvaluation , "("
CELL:FE2500 , FullEvaluation , ")"
CELL:FE2501 , FullEvaluation , "=HALT()"
CELL:FE2502 , FullEvaluation , FORMULA("=HALT()",$A$36)
CELL:FE2503 , FullEvaluation , GOTO($A$1)
CELL:A1 , FullEvaluation , REGISTER("Kernel32","VirtualAlloc","JJJJJ","Valloc",,1,9)
CELL:A2 , FullEvaluation , REGISTER("Kernel32","WriteProcessMemory","JJJCJJ","WProcessMemory",,1,9)
CELL:A3 , FullEvaluation , REGISTER("Kernel32","CreateThread","JJJJJJJ","CThread",,1,9)
Error: Unexpected token Token(NUMBER, '6') at line 1, column 63.
Expected one of:
* MULTIOP
* R_PRA
* CONCATOP
* ADDITIVEOP
* LIST_SEPARATOR
* CMPOP
* COLON
[END of Deobfuscation]
time elapsed: 4.017183065414429
If I load the dev version, I get a different error:
[Loading Cells]
[Starting Deobfuscation]
There is no entry point, please specify a cell address to start
Example: Sheet1!A1
but if I then give it the first cell of the document from the previous analysis, it seems to proceed through to the end, so not sure if this bug is already fixed or not. If you need the file that causes the issue, I can email, but need an address to send it to.
I have a 2nd file that throws the following error for 0.1.4:
[Loading Cells]
auto_open: auto_open->qUKYONz;!$A$1
[Starting Deobfuscation]
CELL:A1 , PartialEvaluation , ACTIVATE("qUKYONz;")
Error: 'XLMInterpreter' object has no attribute 'parse_cell_address'
[END of Deobfuscation]
time elapsed: 0.33858323097229004
and for the dev version, proceeds through for a while and then throws:
CELL:A12 , FullEvaluation , NEXT
CELL:A8 , FullEvaluation , WHILE($C$6=0.0) -> [False]
CELL:A13 , PartialEvaluation , qUKYONz;!$F$1("=REGISTER(CHAR(75)&CHAR(69)&CHAR(82)&CHAR(78)&CHAR(69)&CHAR(76)&""32"",CHAR(87)&CHAR(114)&CHAR(105)&CHAR(116)&CHAR(101)&CHAR(80)&CHAR(114)&""oces""&CHAR(115)&CHAR(77)&CHAR(101)&CHAR(109)&CHAR(111)&CHAR(114)&CHAR(121),""JJJCJE"",""viaBBg"",,1,9)")
Error [deobfuscator.py:1592 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(COLON, ':') at line 1, column 30.
Expected one of:
* ADDITIVEOP
* $END
* R_PRA
* CMPOP
* LIST_SEPARATOR
* CONCATOP
* MULTIOP
Files:
[END of Deobfuscation]
time elapsed: 0.49591684341430664
This file, I can also email if you send me an address.
Thanks
John
The text was updated successfully, but these errors were encountered: