Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Unexpected token Token(__ANON_0, '())') #52

Open
malware-kitten opened this issue Jun 25, 2020 · 2 comments
Open

Bug: Unexpected token Token(__ANON_0, '())') #52

malware-kitten opened this issue Jun 25, 2020 · 2 comments
Assignees
@DissectMalware
Labels
bug Something isn't working

Comments

@malware-kitten
Copy link

When running the latest from git, the following bug appears when running against malware sample ffa75887740c235250a61413117bb2ee

mal.zip
Password: infected

Error [deobfuscator.py:1590 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(__ANON_0, '())') at line 1, column 34.

Here's an example of the full run

[Loading Cells]
auto_open: auto_open->'S'!$FP$36983
[Starting Deobfuscation]
CELL:FP36983   , FullEvaluation      , $II$43299()
CELL:II43299   , FullEvaluation      , SET.NAME(ywqifcx,)
CELL:II43300   , FullEvaluation      , SET.NAME(wcykn,$DS$34038)
CELL:II43301   , FullEvaluation      , SET.NAME(cxyisnqgz,$FE$53601)
CELL:II43302   , FullEvaluation      , WHILE(cxyISNqGZ<>"HVDUGKk") -> [True]
CELL:II43303   , FullEvaluation      ,  SET.NAME(ocxnescllxklh,cxyISNqGZ)
Error [deobfuscator.py:1590 parse_tree = self.xlm_parser.parse(formula)]: Unexpected token Token(__ANON_0, '())') at line 1, column 34.
Expected one of: 
        * LIST_SEPARATOR
        * CONCATOP
        * CMPOP
        * R_PRA
        * ADDITIVEOP
        * MULTIOP


Files:

[END of Deobfuscation]
time elapsed: 0.6967053413391113

When running in excel the sample will reach out to:

http://81.16.141[.]208/F3gbNM
@DissectMalware
Copy link
Owner

Other similar samples:

27814e7df19b2b3165fd93b8148b22eaafc78cff4f649d16bacf9ba5d2f943f1
77d7cb65a982b20a8176c1f72f897e50a81a8c1fff0837afecda20b9bb1ba843
2fbae9bcd3d74139090c83eae09e7322c7d16b73aee8e648af1984b37552132d

@DissectMalware DissectMalware added the bug Something isn't working label Jun 26, 2020
@DissectMalware DissectMalware self-assigned this Jun 26, 2020
@ghanashyams
Copy link

I encounter similar error for following sample too.
3a8ee8980c991b40e77d3d7f2b9041a1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DissectMalware DissectMalware

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@malware-kitten @DissectMalware @ghanashyams