Skip to content

Releases: DissectMalware/XLMMacroDeobfuscator

XLMMacroDeobfuscator-v0.2.7

21 Sep 18:11
@DissectMalware DissectMalware
v0.2.7
4311416
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.2.7 Latest
Latest

Bug fix

Assets 4
Loading

XLMMacroDeobfuscator-v0.2.6

10 May 09:34
@DissectMalware DissectMalware
v0.2.6
9117576
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.2.6

Fix bug in interpreting a formula if contains a sheet name that is a valid col name like C1

Assets 4
Loading

XLMMacroDeobfuscator-v0.2.5

05 Feb 08:12
@DissectMalware DissectMalware
v0.2.5
04e5dc1
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.2.5

In this release:
Fixed a bug in extracting formulas from macrosheet (#102)
Fixed a bug in handling defined names (#102)

Assets 4
Loading

XLMMacroDeobfuscator-v0.2.4

05 Feb 08:05
@DissectMalware DissectMalware
v0.2.4
04e5dc1
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.2.4

In this version:
A grammar bug in handling names is fixed (#101)

Assets 4
Loading

XLMMacroDeobfuscator-v0.2.3

08 Dec 01:57
@DissectMalware DissectMalware
v0.2.3
bbe4b91
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.2.3
  • Added support for FORMULA.ARRAY and _xlfn.ARABIC
  • Fixed several bugs
Assets 4
Loading

XLMMacroDeobfuscator-v0.2.0

23 Nov 20:14
@DissectMalware DissectMalware
v0.2.0
a4bb762
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.2.0

[The notable changes since v0.1.9]

XLMMacroDeobfuscator v0.2.0:

  • Considers auto_close defined names as starting points for interpreting macros
  • Loads XLSM files with many empty cells much faster
  • Has new switches
    • --defined-names
    • --sort-formula
    • --extract-formula-format
  • Supports more functions
    • SQRT
  • Has less bugs (Lots of bugs were fixed in this version).
Assets 4
Loading

XLMMacroDeobfuscator-v0.1.4-beta

30 May 23:28
@DissectMalware DissectMalware
v0.1.4-beta
c3e8402
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.1.4-beta Pre-release
Pre-release

The following list summarizes the most notable features added in this version:

  1. The following XLM functions are added: ROUND, SET.NAME, DIRECTORY, CONCATENATE, ACTIVE.CELL, SELECT, AND, OR, WHILE, LEN, REGISTER
  2. Dumps shellcodes injected into a process. It interprets the following Windows APIs: VirtualAlloc, WriteProcessMemory, RtlCopyMemory
  3. Guesses the correct day for DAY(NOW()) used for deobfuscating XLM macro.
  4. Supports range addresses
  5. New switches: --with-ms-excel, --password (--no-ms-excel is deprecated)
  6. Bug fixes
Assets 4
Loading

XLMMacroDeobfuscator-v0.1.2-beta

17 May 13:41
@DissectMalware DissectMalware
0.1.2-beta
2ad66ad
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.1.2-beta Pre-release
Pre-release

In this version, many new features are introduced. The followings are a few notable additions:

  1. Many functions such as GET.WORKSPACE, GET.CELL, FORMULA.FILL, SET.VAL, DAY, and IF are added
  2. If the IF-condition cannot fully be evaluated, then both branches will be explored
  3. Loop detection mechanism is added to prevent looping
  4. XLM grammar is updated to consider operator precedence and also associativity
Assets 4
Loading

XLMMacroDeobfuscator-v0.1.0-beta

02 May 21:49
@DissectMalware DissectMalware
v0.1.0-beta
8740dcb
Compare
Choose a tag to compare
XLMMacroDeobfuscator-v0.1.0-beta Pre-release
Pre-release

This is an initial release of XLMMacroObfuscator.

XLMMacroObfuscator supports:

Extraction of cell information from macrosheets in xls, xlsm, and xlsb files.

Emulation XLM macros (limited, not all functions are implemented)

Assets 4
Loading