Skip to content
/ Exceller Public

Replaces VBA cells function calls with their content, to make the VBA code less obfuscated and easier to detect by AV vendors.

2 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

deepinstinct/Exceller

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
sample_files
sample_files
 
 
Deobfuscation_Flow.png
Deobfuscation_Flow.png
 
 
README.md
README.md
 
 
exceller.py
exceller.py
 
 

Repository files navigation

Exceller

Replaces VBA cells function calls with their content, to make the VBA code less obfuscated and easier to detect by AV vendors.

Using Exceller

Use Python to run 'exceller.py' and provide it with the following parameters:

  • vba_file: a text file containing VBA code. You can use oledump to extract VBA code from Office files.
  • excel_file: a path to the Excel file from which the VBA code was extracted. Note: currently, Exceller only supports OOXML Excel files. OLE support will be added at a later stage.
  • edited_vba_file: the path in which you want to save Exceller's output, which will be a text file containig a less obfuscated version of 'vba_file'

Extracting VBA Code from Office Files

As mentioned above, you can use oledump to extract VBA from Office files. Example: python oledump.py -v -sa my_office_file> my_vba_output

Link to Didider Stevens' oledump: https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py

An Example for a Deobfuscation Performed by Exceller

Alt text

About

Replaces VBA cells function calls with their content, to make the VBA code less obfuscated and easier to detect by AV vendors.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages