XLMMacroDeobfuscator is an XLM Emulation engine written in Python 3, designed toanalyze and deobfuscate malicious XLM macros, also known as Excel 4.0 macros,contined in MS Excel files (XLS, XLSM, and XLSB).
Project description
XLMMacroDeobfuscator
XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the code.
It supports both xls, xlsm, and xlsb formats.
It uses pyxlsb2 and its own parser to extract cells and other information from xlsb and xlsm files. However, it relies on MS Excel to extract such information. As such, you need to have MS Excel on the machine if you want to process xls files.
Note: Processing xlsm and xlsb files are much faster than xls files (in two orders of magnitude)
Soon, an xls parser will be included to make it independent of MS Excel
WARNING: tmp\tmp.zip contains real malicious excel documents (password: infected). Please only run them in a testing environment.
You can also find XLM grammar in xlm-macro.lark
Running the script
To run the script
python deobfuscator.py --file document.xlsm
Usage
usage: deobfuscator.py [-h] [-f FILE] [-n] [-x] [-s]
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE The path of a XLSM file
-n, --noninteractive Disable interactive shell
-x, --extract-only Only extract cells without any emulation
-s, --start-with-shell Open an XLM shell before interpreting the macros in
the input
Prerequisit
To parse xlsb file, XLMMacroObfuscator relies on pyxlsb2. To install the pyxlsb2 library:
pip install -U pyxlsb2
It also requires Microsoft Excel in order to process XLS files. However, if only XLSM or XLSB files are being processed, MS Excel is not needed.
* This code is heavily under development. Expect to see radical changes in the code.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for XLMMacroDeobfuscator-0.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | c45fc4cf33b4ed974f9ae6a21170f795ef5e4720d7a43a78a07797d8a1b677b7 |
|
MD5 | fc537a87a8212d6352a9dcd005655a43 |
|
BLAKE2b-256 | 168380e1fe8eb34124284efb8aed8701e51938cbb22ea4bfe58fbaf079cdc45f |
Hashes for XLMMacroDeobfuscator-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0a509392aec4a980de66dd56d0a19032b44e4c9ba272b90c4e30d61660c8325a |
|
MD5 | 8f5a2e180f36fa791dcdf41b099a2e01 |
|
BLAKE2b-256 | b8bd481a7cc8b17bf713a2572fa952c4beb063234fee40f76a9fd35824d2b017 |