Xlm Macro deobfuscation

Author: 0ssigeno

api_app/script_analyzers/file_analyzers/xlm_macro_deobfuscator.py

@@ -0,0 +1,62 @@
+import logging
+
+from api_app.script_analyzers.classes import FileAnalyzer
+from celery.exceptions import SoftTimeLimitExceeded
+import subprocess
+from pathlib import Path
+import json
+
+logger = logging.getLogger(__name__)
+
+
+class XlmMacroDeobfuscator(FileAnalyzer):
+    def set_config(self, additional_config_params):
+        self.passwords_to_check = []
+        additional_passwords_to_check = additional_config_params.get(
+            "passwords_to_check", []
+        )
+        if isinstance(additional_passwords_to_check, list):
+            self.passwords_to_check.extend(additional_passwords_to_check)
+        elif isinstance(additional_passwords_to_check, str):
+            self.passwords_to_check.append(additional_passwords_to_check)
+
+    def run(self):
+        results = {}
+        try:
+            if not self.passwords_to_check:
+                results = self.decrypt()
+            else:
+                for password in self.passwords_to_check:
+                    results = self.decrypt(password)
+                    if results:
+                        break
+            if not results:
+                results["errors"] = "Unable to deobfuscate"
+        except SoftTimeLimitExceeded as e:
+            error_message = (
+                f"job_id:{self.job_id} analyzer:{self.analyzer_name} md5:{self.md5}"
+                f"filename: {self.filename}. Soft Time Limit Exceeded Error {e}"
+            )
+            logger.error(error_message)
+            self.report["errors"].append(str(e))
+            self.report["success"] = False
+        return results
+
+    def decrypt(self, password=""):
+        cmd = [
+            "xlmdeobfuscator",
+            "--file",
+            self.filepath,
+            "--export-json",
+            "result.json",
+        ]
+        pwd_cmd = ["--password", password] if password else []
+        subprocess.run(cmd + pwd_cmd, stdout=subprocess.PIPE).stdout.decode("utf-8")
+        path = Path("result.json")
+        if not path.exists():
+            return {}
+        with path.open("r") as f:
+            results = json.load(f)
+        path.unlink()
+        results["correct_password"] = password
+        return results

configuration/analyzer_config.json

@@ -938,6 +938,22 @@
       "directories_with_rules": ["/opt/deploy/yara/rules"]
     }
   },
+  "Xlm_Macro_Deobfuscator": {
+    "type": "file",
+    "supported_filetypes": [
+      "application/vnd.ms-office",
+      "application/vnd.ms-excel.addin.macroEnabled",
+      "application/x-mspublisher",
+      "application/vnd.ms-excel",
+      "application/vnd.ms-excel.sheet.macroEnabled.12",
+      "application/excel"
+    ],
+    "decription": "Xlm macro deobfuscator",
+    "python_module": "xlm_deobfuscator_run",
+    "additional_config_params": {
+        "passwords_to_check": ["agenzia", "inps"]
+    }
+  },
   "Yara_Scan_Florian": {
     "type": "file",
     "description": "scan a file with Neo23x0 yara rules",

docs/source/Usage.md

@@ -37,6 +37,7 @@ The following is the list of the available analyzers you can run out-of-the-box:
 * `Rtf_Info`: static RTF analysis
 * `Doc_Info`: static generic document analysis
 * `Doc_Info_Experimental`: static document analysis with new features to analyze XLM macros, encrypted macros and more
+* `Xlm_Macro_Deobfuscator`:  [XlmMacroDeobfuscator](https://github.com/DissectMalware/XLMMacroDeobfuscator) deobfuscate xlm macros
 * `PE_Info`: static PE analysis
 * `Signature_Info`: PE signature extractor
 * `Speakeasy`: Speakeasy binary emulation

intel_owl/tasks.py

@@ -22,6 +22,7 @@
     apkid,
     quark_engine,
     unpac_me,
+    xlm_macro_deobfuscator,
 )
 from api_app.script_analyzers.observable_analyzers import (
     abuseipdb,
@@ -612,6 +613,15 @@ def docinfo_run(
     ).start()
 
 
+@shared_task(soft_time_limit=30)
+def xlm_deobfuscator_run(
+    analyzer_name, job_id, filepath, filename, md5, additional_config_params
+):
+    xlm_macro_deobfuscator.XlmMacroDeobfuscator(
+        analyzer_name, job_id, filepath, filename, md5, additional_config_params
+    ).start()
+
+
 @shared_task(soft_time_limit=30)
 def rtfinfo_run(
     analyzer_name, job_id, filepath, filename, md5, additional_config_params

requirements.txt

@@ -80,5 +80,5 @@ djangorestframework-guardian==0.3.0
 flake8==3.8.2 
 black==19.10b0
 quark-engine==20.8
-git+git://github.com/DissectMalware/XLMMacroDeobfuscator.git@c78b9e443e2667399470462fd863ebe4e2b8c978
+git+git://github.com/DissectMalware/XLMMacroDeobfuscator.git@89fbce0c87014a4b5a22c1aef09c8b3ea9bf16c0
 speakeasy-emulator==1.4.4

tests/test_files.py

@@ -27,6 +27,7 @@
     apkid,
     quark_engine,
     unpac_me,
+    xlm_macro_deobfuscator,
 )
 from api_app.script_analyzers.observable_analyzers import vt3_get
 
@@ -295,6 +296,34 @@ def test_speakeasy_dll(self):
         self.assertEqual(report.get("success", False), True)
 
 
+class FileAnalyzersExcelTests(TestCase):
+    def setUp(self):
+        params = {
+            "source": "test",
+            "is_sample": True,
+            "file_mimetype": "application/vnd.ms-excel",
+            "force_privacy": False,
+            "analyzers_requested": ["test"],
+        }
+        filename = "document.xls"
+        test_job = _generate_test_job_with_file(params, filename)
+        self.job_id = test_job.id
+        self.filepath, self.filename = utils.get_filepath_filename(self.job_id)
+        self.runtime_configuration = test_job.runtime_configuration
+        self.md5 = test_job.md5
+
+    def test_xlm_macro_deobfuscator_excel(self):
+        report = xlm_macro_deobfuscator.XlmMacroDeobfuscator(
+            "Xlm_Macro_Deobfuscator",
+            self.job_id,
+            self.filepath,
+            self.filename,
+            self.md5,
+            {},
+        ).start()
+        self.assertEqual(report.get("success", False), True)
+
+
 class FileAnalyzersDocTests(TestCase):
     def setUp(self):
         params = {