def manage_xlm_macros(self):
self.olevba_results["xlm_macro"] = False
# check if the file contains an XLM macro
# and try an experimental parsing
# credits to https://twitter.com/gabriele_pippi for the idea
if self.vbaparser.detect_xlm_macros():
self.olevba_results["xlm_macro"] = True
logger.debug("experimental XLM macro analysis start")
parsed_file = b""
try:
excel_doc = XLSWrapper2(self.filepath)
ae_list = [
"auto_open",
"auto_close",
"auto_activate",
"auto_deactivate",
]
self.olevba_results["xlm_macro_autoexec"] = []
for ae in ae_list:
auto_exec_labels = excel_doc.get_defined_name(
ae, full_match=False)
for label in auto_exec_labels:
self.olevba_results["xlm_macro_autoexec"].append(
label[0])
for i in show_cells(excel_doc):
rec_str = ""
if len(i) == 5:
# rec_str = 'CELL:{:10}, {:20}, {}'
# .format(i[0].get_local_address(), i[2], i[4])
if i[2] != "None":
rec_str = "{:20}".format(i[2])
if rec_str:
parsed_file += rec_str.encode()
parsed_file += b"\n"
except Exception as e:
logger.info(
f"experimental XLM macro analysis failed. Exception: {e}")
else:
logger.debug(f"experimental XLM macro analysis succeded. "
f"Binary to analyze: {parsed_file}")
if parsed_file:
self.vbaparser = VBA_Parser(self.filename,
data=parsed_file)
def process_file(**kwargs):
"""
{
'file': '/tmp/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf',
'noninteractive': False,
'extract_only': False,
'no_ms_excel': True,
'start_with_shell': False,
'return_deobfuscated': False,
}
"""
deobfuscated = list()
file_path = os.path.abspath(kwargs.get("file"))
file_type = get_file_type(file_path)
if file_type is None:
return ('ERROR: input file type is not supported')
try:
start = time.time()
excel_doc = None
print('[Loading Cells]')
if file_type == 'xls':
if kwargs.get("no_ms_excel"):
excel_doc = XLSWrapper2(file_path)
else:
try:
excel_doc = XLSWrapper(file_path)
except Exception as exp:
excel_doc = XLSWrapper2(file_path)
elif file_type == 'xlsm':
excel_doc = XLSMWrapper(file_path)
elif file_type == 'xlsb':
excel_doc = XLSBWrapper(file_path)
if excel_doc is None:
return ("File format is not supported")
auto_open_labels = excel_doc.get_defined_name('auto_open',
full_match=False)
for label in auto_open_labels:
print('auto_open: {}->{}'.format(label[0], label[1]))
if kwargs.get("extract_only"):
show_cells(excel_doc)
else:
interpreter = XLMInterpreter(excel_doc)
if kwargs.get("day") > 0:
interpreter.day_of_month = kwargs.get("day")
if kwargs.get("start_with_shell"):
starting_points = interpreter.xlm_wrapper.get_defined_name(
'auto_open', full_match=False)
if len(starting_points) > 0:
sheet_name, col, row = Cell.parse_cell_addr(
starting_points[0][1])
macros = interpreter.xlm_wrapper.get_macrosheets()
if sheet_name in macros:
current_cell = interpreter.get_formula_cell(
macros[sheet_name], col, row)
interpreter.interactive_shell(current_cell, "")
for step in interpreter.deobfuscate_macro(
not kwargs.get("noninteractive")):
if not kwargs.get("return_deobfuscated"):
uprint('CELL:{:10}, {:20},{}{}'.format(
step[0].get_local_address(), step[1].name,
''.join(['\t'] * step[3]), step[2]))
else:
deobfuscated.append('CELL:{:10}, {:20},{}{}'.format(
step[0].get_local_address(), step[1].name,
''.join(['\t'] * step[3]), step[2]))
print('time elapsed: ' + str(time.time() - start))
finally:
if HAS_XLSWrapper and type(excel_doc) is XLSWrapper:
excel_doc._excel.Application.DisplayAlerts = False
excel_doc._excel.Application.Quit()
if kwargs.get("return_deobfuscated"):
return deobfuscated