Skip to content

Instantly share code, notes, and snippets.

@NoThrowForwardIt
Forked from DissectMalware/deobfuscator.py
Created January 18, 2022 15:18
Show Gist options
  • Save NoThrowForwardIt/e3ce3294e155bf3f036db442379969bb to your computer and use it in GitHub Desktop.
Save NoThrowForwardIt/e3ce3294e155bf3f036db442379969bb to your computer and use it in GitHub Desktop.
VBA deobfuscation - Emotet XLSM
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re
vbaparser = VBA_Parser(sys.argv[1])
replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)
regex_url = "http(s)?://[^,\"]+"
url = re.compile(regex_url, re.MULTILINE)
if vbaparser.detect_vba_macros():
urls = []
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
vba_code = vba_code.replace("_\r\n", "")
match = replace.search(vba_code)
if match:
var_name = match.group(1)
str_name = match.group(2)
old_val = match.group(3)
new_val = match.group(4)
sentences =[]
for sentence in vba_code.split("\r\n"):
if str_name in sentence:
sentence = sentence.replace(old_val, new_val)
sentences.append(sentence)
deobfuscated_code = '\r\n'.join(sentences)
print(deobfuscated_code)
url_iter = url.finditer(deobfuscated_code)
for url_match in url_iter:
urls.append(url_match.group().rstrip('\\').rstrip('/'))
print("\r\n[ORIGINAL URLS]")
for url in urls:
print(url)
# defanged urls
print("\r\n[DEFANGED URLS]")
for url in urls:
print(url.replace(".","[.").replace(":","[:"))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment