XLMMacroDeobfuscator is an XLM Emulation engine written in Python 3, designed to analyze and deobfuscate malicious XLM macros, also known as Excel 4.0 macros, contained in MS Excel files (XLS, XLSM, and XLSB).
Project description
XLMMacroDeobfuscator
XLMMacroDeobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the code.
It supports both xls, xlsm, and xlsb formats.
It uses xlrd2, pyxlsb2 and its own parser to extract cells and other information from xls, xlsb and xlsm files, respectively.
You can also find XLM grammar in xlm-macro-en.lark
Installing the emulator
- Install using pip
pip install XLMMacroDeobfuscator
- Installing the latest development
pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip
Running the emulator
To run the script
xlmdeobfuscator --file document.xlsm
Usage
usage: xlmdeobfuscator [-h] [-f FILE] [-n] [-x] [-2] [-s] [-d DAY]
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE The path of a XLSM file
-n, --noninteractive Disable interactive shell
-x, --extract-only Only extract cells without any emulation
-2, --no-ms-excel Do not use MS Excel to process XLS files
-s, --start-with-shell Open an XLM shell before interpreting the macros in
the input
-d DAY, --day DAY Specify the day of month
Read requirements.txt to get the list of python libraries that XLMMacroDeobfuscator is dependent on.
You can run XLMMacroDeobfuscator on any OS to extract and deobfuscate macros in xls, xlsm, and xlsb files. No need to install MS Excel.
Note: if you want to use MS Excel (on Windows), you need to install pywin32 library. if you do not want to use MS Excel, use --no-ms-excel. Otherwise, xlmdeobfuscator, first, attempts to load xls files with MS Excel, if it fails it uses xlrd2.
* This code is still heavily under development. Expect to see radical changes in the code.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for XLMMacroDeobfuscator-0.1.2.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | dc0d9cda6d6672a7d05dd85fe83bdd07dbcbfa1af330186faf7e3c936ae079b6 |
|
| MD5 | 283e5612d3db409410fea64aaa886926 |
|
| BLAKE2b-256 | a90931dfbf4b6a8ce6abfb5a2dcfa2269f62dfa1b35beee95e63910779cbc304 |
Hashes for XLMMacroDeobfuscator-0.1.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ac91821e48f98b47c8885b0ef9530e61cf96446d7ba735e6981b1d91c400ab6a |
|
| MD5 | 5b5acf7bfcecca0593e97cb3af5e6651 |
|
| BLAKE2b-256 | 839a2b2c56eb08dee18a36c66e2823a79295effcecae1265a2904736f02da7bb |
