oletools icon indicating copy to clipboard operation
oletools copied to clipboard
verified publisher icon decalage2

XLM Formula Improperly Decoded

Open kirk-sayre-work opened this issue 5 years ago • 0 comments

Affected tool: olevba

Describe the bug olevba is improperly decoding the arguments to a XLM 4.0 RUN() macro call. olevba is decoding the formula as:

RUN(-B0=83)

The formula (as decoded by xlmdeobfuscator) should be:

RUN(ЭтаКнига.Dasert)

File/Malware sample to reproduce the bug This is being done in a Trickbot downloader. An example is https://bazaar.abuse.ch/sample/344a1f99e4916f2b88f098735397a2b4bb02179022dadb7d482fa8a8eb429183/ .

How To Reproduce the bug The improperly decoded cell is Docs:S6

Version information:

  • OS: Linux
  • OS version: Ubuntu 18.04, 64 bit
  • Python version: 3.6 64 bits
  • oletools version: olevba: 0.56.1.dev2

kirk-sayre-work avatar Dec 12 '20 02:12 kirk-sayre-work