XLMMacroDeobfuscator - Extract And Deobfuscate XLM Macros (A.K.A Excel 4.0 Macros)

2021-08-21T21:30:00

Description

[![](https://1.bp.blogspot.com/-PRR-vsEVids/YRwVFc6cVJI/AAAAAAAAq1k/zCViiFenVG8uOEysZWiH9cbAxr_Ss_XtgCNcBGAsYHQ/w640-h368/xlm.png)](<https://1.bp.blogspot.com/-PRR-vsEVids/YRwVFc6cVJI/AAAAAAAAq1k/zCViiFenVG8uOEysZWiH9cbAxr_Ss_XtgCNcBGAsYHQ/s810/xlm.png>) XLMMacroDeobfuscator can be used to [decode](<https://www.kitploit.com/search/label/Decode> "decode" ) obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM [emulator](<https://www.kitploit.com/search/label/Emulator> "emulator" ) to interpret the macros, without fully performing the code. It supports both xls, xlsm, and xlsb formats. It uses [xlrd2](<https://github.com/DissectMalware/xlrd2> "xlrd2" ), [pyxlsb2](<https://github.com/DissectMalware/pyxlsb2> "pyxlsb2" ) and its own parser to extract cells and other information from xls, xlsb and xlsm files, respectively. You can also find XLM grammar in [xlm-macro-lark.template](<https://github.com/DissectMalware/XLMMacroDeobfuscator/blob/master/XLMMacroDeobfuscator/xlm-macro.lark.template> "xlm-macro-lark.template" ) **Installing the emulator** 1. Install using pip pip install XLMMacroDeobfuscator 2. Installing the latest development pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip pip install -U https://github.com/DissectMalware/pyxlsb2/archive/master.zip pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip **Running the emulator** To [deobfuscate](<https://www.kitploit.com/search/label/Deobfuscate> "deobfuscate" ) macros in Excel documents: xlmdeobfuscator --file document.xlsm To only get the deobfuscated macros and without any indentation: xlmdeobfuscator --file document.xlsm --no-indent --output-formula-format "[[INT-FORMULA]]" To export the output in JSON format xlmdeobfuscator --file document.xlsm --export-json result.json To see a sample JSON output, please check [this link](<https://pastebin.com/bwmS7mi0> "this link" ) out. To use a config file xlmdeobfuscator --file document.xlsm -c default.config default.config file must be a valid json file, such as: { "no-indent": true, "output-formula-format": "[[CELL-ADDR]] [[INT-FORMULA]]", "non-interactive": true, "output-level": 1 } **Command Line** emulation after N seconds (0: not interruption N>0: stop emulation after N seconds) "> _ _______ |\ /|( \ ( ) ( \ / )| ( | () () | \ (_) / | | | || || | ) _ ( | | | |(_)| | / ( ) \ | | | | | | ( / \ )| (____/\| ) ( | |/ \|(_______/|/ \| ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______ ( __ \ ( ____ \( ___ )( ___ \ ( ____ \|\ /|( ____ \( ____ \( ___ )\__ __/( ___ )( ____ ) | ( \ )| ( \/| ( ) || ( ) )| ( \/| ) ( || ( \/| ( \/| ( ) | ) ( | ( ) || ( )| | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)| | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __) | | ) || ( | | | || ( \ \ | ( | | | | ) || | | ( ) | | | | | | || (\ ( | (__/ )| (____/\| (___) || )___) )| ) | (___) |/\____) || (____/\| ) ( | | | | (___) || ) \ \__ (______/ (_______/(_______)|/ \___/ |/ (_______)\_______)(_______/|/ \| )_( (_______)|/ \__/ XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator usage: deobfuscator.py [-h] [-c FILE_PATH] [-f FILE_PATH] [-n] [-x] [-2] [--with-ms-excel] [-s] [-d DAY] [--output-formula-format OUTPUT_FORMULA_FORMAT] [--no-indent] [--export-json FILE_PATH] [--start-point CELL_ADDR] [-p PASSWORD] [-o OUTPUT_LEVEL] optional arguments: -h, --help show this help message and exit -c FILE_PATH, --config_file FILE_PATH Specify a config file (must be a valid JSON file) -f FILE_PATH, --file FILE_PATH The path of a XLSM file -n , --noninteractive Disable interactive shell -x, --extract-only Only extract cells without any emulation -2, --no-ms-excel [Deprecated] Do not use MS Excel to process XLS files --with-ms-excel Use MS Excel to process XLS files -s, --start-with-shell Open an XLM shell before interpreting the macros in the input -d DAY, --day DAY Specify the day of month --output-formula-format OUTPUT_FORMULA_FORMAT Specify the format for output formulas ([[CELL-ADDR]], [[INT-FORMULA]], and [[STATUS]] --no-indent Do not show indent before formulas --export-json FILE_PATH Export the output to JSON --start-point CELL_ADDR Start interpretation from a specific cell address -p PASSWORD, --password PASSWORD Password to decrypt t he protected document -o OUTPUT_LEVEL, --output-level OUTPUT_LEVEL Set the level of details to be shown (0:all commands, 1: commands no jump 2:important commands 3:strings in important commands). --timeout N stop emulation after N seconds (0: not interruption N>0: stop emulation after N seconds) **Library** The following example shows how XLMMacroDeobfuscator can be used in a python project to deobfuscate XLM macros: from XLMMacroDeobfuscator.deobfuscator import process_file result = process_file(file='path/to/an/excel/file', noninteractive= True, noindent= True, output_formula_format='[[CELL-ADDR]], [[INT-FORMULA]]', return_deobfuscated= True, timeout= 30) for record in result: print(record) * note: the xlmdeofuscator logo will not be shown when you use it as a library **Requirements** Please read requirements.txt to get the list of python libraries that XLMMacroDeobfuscator is dependent on. xlmdeobfuscator can be executed on any OS to extract and deobfuscate macros in xls, xlsm, and xlsb files. You do not need to install MS Excel. Note: if you want to use MS Excel (on Windows), you need to install pywin32 [library](<https://www.kitploit.com/search/label/Library> "library" ) and use --with-ms-excel switch. If --with-ms-excel is used, xlmdeobfuscator, first, attempts to load xls files with MS Excel, if it fails it uses [xlrd2 library](<https://github.com/DissectMalware/xlrd2> "xlrd2 library" ). **Project Using XLMMacroDeofuscator** XLMMacroDeofuscator is adopted in the following projects: * [CAPE Sandbox](<https://github.com/ctxis/CAPE> "CAPE Sandbox" ) * [FAME](<https://certsocietegenerale.github.io/fame/> "FAME" ) * [REMNUX](<https://remnux.org/> "REMNUX" ) * [IntelOwl](<https://github.com/intelowlproject/IntelOwl> "IntelOwl" ) * [Assemblyline 4](<https://cybercentrecanada.github.io/assemblyline4_docs/> "Assemblyline 4" ) by Canadian Centre for Cyber Security Please contact me if you incorporated XLMMacroDeofuscator in your project. **How to Contribute** If you found a bug or would like to suggest an improvement, please create a new issue on the [issues page](<https://github.com/DissectMalware/XLMMacroDeobfuscator/issues> "issues page" ). Feel free to contribute to the project forking the project and submitting a pull request. You can reach [me (@DissectMlaware) on Twitter](<https://twitter.com/DissectMalware> "me \(@DissectMlaware\) on Twitter" ) via a direct message. **[Download XLMMacroDeobfuscator](<https://github.com/DissectMalware/XLMMacroDeobfuscator> "Download XLMMacroDeobfuscator" )**

{"id": "KITPLOIT:985216893766955741", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "XLMMacroDeobfuscator - Extract And Deobfuscate XLM Macros (A.K.A Excel 4.0 Macros)", "description": "[![](https://1.bp.blogspot.com/-PRR-vsEVids/YRwVFc6cVJI/AAAAAAAAq1k/zCViiFenVG8uOEysZWiH9cbAxr_Ss_XtgCNcBGAsYHQ/w640-h368/xlm.png)](<https://1.bp.blogspot.com/-PRR-vsEVids/YRwVFc6cVJI/AAAAAAAAq1k/zCViiFenVG8uOEysZWiH9cbAxr_Ss_XtgCNcBGAsYHQ/s810/xlm.png>)\n\n \n\n\nXLMMacroDeobfuscator can be used to [decode](<https://www.kitploit.com/search/label/Decode> \"decode\" ) obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM [emulator](<https://www.kitploit.com/search/label/Emulator> \"emulator\" ) to interpret the macros, without fully performing the code.\n\nIt supports both xls, xlsm, and xlsb formats.\n\nIt uses [xlrd2](<https://github.com/DissectMalware/xlrd2> \"xlrd2\" ), [pyxlsb2](<https://github.com/DissectMalware/pyxlsb2> \"pyxlsb2\" ) and its own parser to extract cells and other information from xls, xlsb and xlsm files, respectively.\n\nYou can also find XLM grammar in [xlm-macro-lark.template](<https://github.com/DissectMalware/XLMMacroDeobfuscator/blob/master/XLMMacroDeobfuscator/xlm-macro.lark.template> \"xlm-macro-lark.template\" )\n\n \n\n\n**Installing the emulator** \n\n\n 1. Install using pip\n \n \n pip install XLMMacroDeobfuscator \n \n\n 2. Installing the latest development\n \n \n pip install -U https://github.com/DissectMalware/xlrd2/archive/master.zip \n pip install -U https://github.com/DissectMalware/pyxlsb2/archive/master.zip \n pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip \n \n\n \n**Running the emulator** \n\n\nTo [deobfuscate](<https://www.kitploit.com/search/label/Deobfuscate> \"deobfuscate\" ) macros in Excel documents:\n \n \n xlmdeobfuscator --file document.xlsm \n \n\nTo only get the deobfuscated macros and without any indentation:\n \n \n xlmdeobfuscator --file document.xlsm --no-indent --output-formula-format \"[[INT-FORMULA]]\" \n \n\nTo export the output in JSON format\n \n \n xlmdeobfuscator --file document.xlsm --export-json result.json \n \n\nTo see a sample JSON output, please check [this link](<https://pastebin.com/bwmS7mi0> \"this link\" ) out.\n\nTo use a config file\n \n \n xlmdeobfuscator --file document.xlsm -c default.config \n \n\ndefault.config file must be a valid json file, such as:\n \n \n { \n \t\"no-indent\": true, \n \t\"output-formula-format\": \"[[CELL-ADDR]] [[INT-FORMULA]]\", \n \t\"non-interactive\": true, \n \t\"output-level\": 1 \n }\n\n \n**Command Line** \n\n\nemulation after N seconds (0: not interruption N>0: stop emulation after N seconds) \">\n \n \n \n _ _______ \n |\\ /|( \\ ( ) \n ( \\ / )| ( | () () | \n \\ (_) / | | | || || | \n ) _ ( | | | |(_)| | \n / ( ) \\ | | | | | | \n ( / \\ )| (____/\\| ) ( | \n |/ \\|(_______/|/ \\| \n ______ _______ _______ ______ _______ _______ _______ _______ _________ _______ _______ \n ( __ \\ ( ____ \\( ___ )( ___ \\ ( ____ \\|\\ /|( ____ \\( ____ \\( ___ )\\__ __/( ___ )( ____ ) \n | ( \\ )| ( \\/| ( ) || ( ) )| ( \\/| ) ( || ( \\/| ( \\/| ( ) | ) ( | ( ) || ( )| \n | | ) || (__ | | | || (__/ / | (__ | | | || (_____ | | | (___) | | | | | | || (____)| \n | | | || __) | | | || __ ( | __) | | | |(_____ )| | | ___ | | | | | | || __) \n | | ) || ( | | | || ( \\ \\ | ( | | | | ) || | | ( ) | | | | | | || (\\ ( \n | (__/ )| (____/\\| (___) || )___) )| ) | (___) |/\\____) || (____/\\| ) ( | | | | (___) || ) \\ \\__ \n (______/ (_______/(_______)|/ \\___/ |/ (_______)\\_______)(_______/|/ \\| )_( (_______)|/ \\__/ \n \n \n XLMMacroDeobfuscator(v0.1.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator \n \n usage: deobfuscator.py [-h] [-c FILE_PATH] [-f FILE_PATH] [-n] [-x] [-2] \n [--with-ms-excel] [-s] [-d DAY] \n [--output-formula-format OUTPUT_FORMULA_FORMAT] \n [--no-indent] [--export-json FILE_PATH] \n [--start-point CELL_ADDR] [-p PASSWORD] \n [-o OUTPUT_LEVEL] \n \n optional arguments: \n -h, --help show this help message and exit \n -c FILE_PATH, --config_file FILE_PATH \n Specify a config file (must be a valid JSON file) \n -f FILE_PATH, --file FILE_PATH \n The path of a XLSM file \n -n , --noninteractive Disable interactive shell \n -x, --extract-only Only extract cells without any emulation \n -2, --no-ms-excel [Deprecated] Do not use MS Excel to process XLS files \n --with-ms-excel Use MS Excel to process XLS files \n -s, --start-with-shell \n Open an XLM shell before interpreting the macros in \n the input \n -d DAY, --day DAY Specify the day of month \n --output-formula-format OUTPUT_FORMULA_FORMAT \n Specify the format for output formulas ([[CELL-ADDR]], \n [[INT-FORMULA]], and [[STATUS]] \n --no-indent Do not show indent before formulas \n --export-json FILE_PATH \n Export the output to JSON \n --start-point CELL_ADDR \n Start interpretation from a specific cell address \n -p PASSWORD, --password PASSWORD \n Password to decrypt t he protected document \n -o OUTPUT_LEVEL, --output-level OUTPUT_LEVEL \n Set the level of details to be shown (0:all commands, \n 1: commands no jump 2:important commands 3:strings in \n important commands). \n --timeout N stop emulation after N seconds (0: not interruption \n N>0: stop emulation after N seconds) \n \n\n \n**Library** \n\n\nThe following example shows how XLMMacroDeobfuscator can be used in a python project to deobfuscate XLM macros:\n \n \n from XLMMacroDeobfuscator.deobfuscator import process_file \n \n result = process_file(file='path/to/an/excel/file', \n noninteractive= True, \n noindent= True, \n output_formula_format='[[CELL-ADDR]], [[INT-FORMULA]]', \n return_deobfuscated= True, \n timeout= 30) \n \n for record in result: \n print(record)\n\n * note: the xlmdeofuscator logo will not be shown when you use it as a library\n \n**Requirements** \n\n\nPlease read requirements.txt to get the list of python libraries that XLMMacroDeobfuscator is dependent on.\n\nxlmdeobfuscator can be executed on any OS to extract and deobfuscate macros in xls, xlsm, and xlsb files. You do not need to install MS Excel.\n\nNote: if you want to use MS Excel (on Windows), you need to install pywin32 [library](<https://www.kitploit.com/search/label/Library> \"library\" ) and use --with-ms-excel switch. If --with-ms-excel is used, xlmdeobfuscator, first, attempts to load xls files with MS Excel, if it fails it uses [xlrd2 library](<https://github.com/DissectMalware/xlrd2> \"xlrd2 library\" ).\n\n \n**Project Using XLMMacroDeofuscator** \n\n\nXLMMacroDeofuscator is adopted in the following projects:\n\n * [CAPE Sandbox](<https://github.com/ctxis/CAPE> \"CAPE Sandbox\" )\n * [FAME](<https://certsocietegenerale.github.io/fame/> \"FAME\" )\n * [REMNUX](<https://remnux.org/> \"REMNUX\" )\n * [IntelOwl](<https://github.com/intelowlproject/IntelOwl> \"IntelOwl\" )\n * [Assemblyline 4](<https://cybercentrecanada.github.io/assemblyline4_docs/> \"Assemblyline 4\" ) by Canadian Centre for Cyber Security\n\nPlease contact me if you incorporated XLMMacroDeofuscator in your project.\n\n \n**How to Contribute** \n\n\nIf you found a bug or would like to suggest an improvement, please create a new issue on the [issues page](<https://github.com/DissectMalware/XLMMacroDeobfuscator/issues> \"issues page\" ).\n\nFeel free to contribute to the project forking the project and submitting a pull request.\n\nYou can reach [me (@DissectMlaware) on Twitter](<https://twitter.com/DissectMalware> \"me \\(@DissectMlaware\\) on Twitter\" ) via a direct message.\n\n \n \n\n\n**[Download XLMMacroDeobfuscator](<https://github.com/DissectMalware/XLMMacroDeobfuscator> \"Download XLMMacroDeobfuscator\" )**\n", "published": "2021-08-21T21:30:00", "modified": "2021-08-21T21:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/08/xlmmacrodeobfuscator-extract-and.html", "reporter": "KitPloit", "references": ["https://github.com/intelowlproject/IntelOwl", "https://cybercentrecanada.github.io/assemblyline4_docs/", "https://github.com/DissectMalware/XLMMacroDeobfuscator/blob/master/XLMMacroDeobfuscator/xlm-macro.lark.template", "https://github.com/DissectMalware/pyxlsb2", "https://github.com/DissectMalware/XLMMacroDeobfuscator/issues", "https://github.com/DissectMalware/XLMMacroDeobfuscator", "https://github.com/ctxis/CAPE", "https://github.com/DissectMalware/xlrd2", "https://pastebin.com/bwmS7mi0", "https://certsocietegenerale.github.io/fame/"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:44", "viewCount": 93, "enchantments": {"dependencies": {}, "score": {"value": -0.4, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "_state": {"dependencies": 1659911869, "score": 1659847081}, "_internal": {"score_hash": "a177e54a1204651b07bb37679de64f9c"}, "toolHref": "https://github.com/DissectMalware/XLMMacroDeobfuscator"}