XLM Macro Deobfuscator v0.2.7 releases: Extract and Deobfuscate XLM macros

by do son · Published September 17, 2020 · Updated September 21, 2022

XLM Macro Deobfuscator

XLM Macro Deobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the code.

It supports both xls, xlsm, and xlsb formats.

It uses xlrd2, pyxlsb2, and its own parser to extract cells and other information from xls, xlsb, and xlsm files, respectively.

You can also find XLM grammar in xlm-macro-en.lark

Changelog v0.2.7

Bug fix

Install

Install using pip

pip install XLMMacroDeobfuscator

Installing the latest development

pip install -U https://github.com/DissectMalware/XLMMacroDeobfuscator/archive/master.zip

Use

To deobfuscate macros in Excel documents:

xlmdeobfuscator –file document.xlsm

To only get the deobfuscated macros and without any indentation:

xlmdeobfuscator –file document.xlsm –no-indent –output-formula-format “[[INT-FORMULA]]”

To export the output in JSON format

xlmdeobfuscator –file document.xlsm –export-json result.json

To see a sample JSON output, please check this link out.

To use a config file

xlmdeobfuscator –file document.xlsm -c default.config

default.config file must be a valid json file, such as:

{

	"no-indent": true,

	"output-formula-format": "[[CELL-ADDR]] [[INT-FORMULA]]",

	"non-interactive": true,

	"output-level": 1

}

Library

The following example shows how XLMMacroDeobfuscator can be used in a python project to deobfuscate XLM macros:

from XLMMacroDeobfuscator.deobfuscator import process_file



result = process_file(file='path/to/an/excel/file', 

            noninteractive= True, 

            noindent= True, 

            output_formula_format='[[CELL_ADDR]], [[INT-FORMULA]]',

            return_deobfuscated= True)



for record in result:

    print(record)