def manage_xlm_macros(self): self.olevba_results["xlm_macro"] = False # check if the file contains an XLM macro # and try an experimental parsing # credits to https://twitter.com/gabriele_pippi for the idea if self.vbaparser.detect_xlm_macros(): self.olevba_results["xlm_macro"] = True logger.debug("experimental XLM macro analysis start") parsed_file = b"" try: excel_doc = XLSWrapper2(self.filepath) ae_list = [ "auto_open", "auto_close", "auto_activate", "auto_deactivate", ] self.olevba_results["xlm_macro_autoexec"] = [] for ae in ae_list: auto_exec_labels = excel_doc.get_defined_name( ae, full_match=False) for label in auto_exec_labels: self.olevba_results["xlm_macro_autoexec"].append( label[0]) for i in show_cells(excel_doc): rec_str = "" if len(i) == 5: # rec_str = 'CELL:{:10}, {:20}, {}' # .format(i[0].get_local_address(), i[2], i[4]) if i[2] != "None": rec_str = "{:20}".format(i[2]) if rec_str: parsed_file += rec_str.encode() parsed_file += b"\n" except Exception as e: logger.info( f"experimental XLM macro analysis failed. Exception: {e}") else: logger.debug(f"experimental XLM macro analysis succeded. " f"Binary to analyze: {parsed_file}") if parsed_file: self.vbaparser = VBA_Parser(self.filename, data=parsed_file)
def process_file(**kwargs): """ { 'file': '/tmp/8a6e4c10c30b773147d0d7c8307d88f1cf242cb01a9747bfec0319befdc1fcaf', 'noninteractive': False, 'extract_only': False, 'no_ms_excel': True, 'start_with_shell': False, 'return_deobfuscated': False, } """ deobfuscated = list() file_path = os.path.abspath(kwargs.get("file")) file_type = get_file_type(file_path) if file_type is None: return ('ERROR: input file type is not supported') try: start = time.time() excel_doc = None print('[Loading Cells]') if file_type == 'xls': if kwargs.get("no_ms_excel"): excel_doc = XLSWrapper2(file_path) else: try: excel_doc = XLSWrapper(file_path) except Exception as exp: excel_doc = XLSWrapper2(file_path) elif file_type == 'xlsm': excel_doc = XLSMWrapper(file_path) elif file_type == 'xlsb': excel_doc = XLSBWrapper(file_path) if excel_doc is None: return ("File format is not supported") auto_open_labels = excel_doc.get_defined_name('auto_open', full_match=False) for label in auto_open_labels: print('auto_open: {}->{}'.format(label[0], label[1])) if kwargs.get("extract_only"): show_cells(excel_doc) else: interpreter = XLMInterpreter(excel_doc) if kwargs.get("day") > 0: interpreter.day_of_month = kwargs.get("day") if kwargs.get("start_with_shell"): starting_points = interpreter.xlm_wrapper.get_defined_name( 'auto_open', full_match=False) if len(starting_points) > 0: sheet_name, col, row = Cell.parse_cell_addr( starting_points[0][1]) macros = interpreter.xlm_wrapper.get_macrosheets() if sheet_name in macros: current_cell = interpreter.get_formula_cell( macros[sheet_name], col, row) interpreter.interactive_shell(current_cell, "") for step in interpreter.deobfuscate_macro( not kwargs.get("noninteractive")): if not kwargs.get("return_deobfuscated"): uprint('CELL:{:10}, {:20},{}{}'.format( step[0].get_local_address(), step[1].name, ''.join(['\t'] * step[3]), step[2])) else: deobfuscated.append('CELL:{:10}, {:20},{}{}'.format( step[0].get_local_address(), step[1].name, ''.join(['\t'] * step[3]), step[2])) print('time elapsed: ' + str(time.time() - start)) finally: if HAS_XLSWrapper and type(excel_doc) is XLSWrapper: excel_doc._excel.Application.DisplayAlerts = False excel_doc._excel.Application.Quit() if kwargs.get("return_deobfuscated"): return deobfuscated