Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fails on recent Emotet maldocs. #102

Closed
kirk-sayre-work opened this issue Feb 4, 2022 · 4 comments
Closed

Fails on recent Emotet maldocs. #102

kirk-sayre-work opened this issue Feb 4, 2022 · 4 comments
Assignees
@DissectMalware
Labels
bug Something isn't working

Comments

@kirk-sayre-work
Copy link

xlmdeobfuscator -x fails with a Error [deobfuscator.py:3189 process_file(**vars(args))]: 'None' has no attribute 'xm_macrosheet' error on recent (2/4/2022) Emotet Excel samples. Some example Emotet file hashes are 9ddac5c4281f20c330439fae9bcbd8d6693b80083fa10894bb9ce002c2015399 and 77ee213b8790da89694d63a2288e223450c67fa75c82aceb968625c509154937.
@doomedraven
Copy link
Contributor

here a bit more context

File "/usr/local/lib/python3.9/site-packages/XLMMacroDeobfuscator/xlsm_wrapper.py", line 268, in load_macro_cells
    if not hasattr(macrosheet_obj.xm_macrosheet.sheetData, 'row'):
  File "/usr/local/lib/python3.9/site-packages/untangle.py", line 82, in __getattr__
    raise AttributeError(
AttributeError: 'None' has no attribute 'xm_macrosheet'


>>> dir(macrosheet_obj)
['worksheet']

>>> macrosheet_obj.xm_macrosheet
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python3.9/site-packages/untangle.py", line 82, in __getattr__
    raise AttributeError(
AttributeError: 'None' has no attribute 'xm_macrosheet'

@DissectMalware DissectMalware added the bug Something isn't working label Feb 4, 2022
@DissectMalware DissectMalware self-assigned this Feb 4, 2022
@DissectMalware
Copy link
Owner

DissectMalware commented Feb 5, 2022
edited
Loading

RCA:

Normal XLM macrosheet looks like this:
image

The emotet macrosheet looks like this (instead of having xm:macroosheet as the root element it has worksheet element):
image

despite saying worksheet, this is a macrosheet
image

DissectMalware added a commit that referenced this issue Feb 5, 2022
@DissectMalware
Fix - the root of macrosheet can be worksheet element #102
eb1788b
@DissectMalware
Copy link
Owner

DissectMalware commented Feb 5, 2022
edited
Loading

The extraction issue is resolved. But still another issue prevents xlmdeobfuscator to emulate this instance. As such I will keep this issue open.

image

@DissectMalware
Copy link
Owner

This issue is fixed in 04e5dc1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DissectMalware DissectMalware

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@doomedraven @DissectMalware @kirk-sayre-work