Excel 4 Macro Analysis: XLMMacroDeobfuscator

Published: 2020-05-11
Last Updated: 2020-05-11 19:58:41 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.

It's good to see that new analysis tools are being developed, like XLMMacroDeobfuscator.

Here is an example of a malicious Excel 4 macro document, analyzed with my tools:

We can see the calls, but not the actual values of the arguments: these require many formula calculations to recover IOCs like URLs.

This is what XLMMacroDeobfuscator tries to do: it's a free, open-source Python tool that tries to deobfuscate Excel 4 macros. For this sample, the tool was able to debofuscate the URL and filename.

Early versions of XLMMacroDeobfuscator required Excel, but the last version can also operate without Excel.

Remark that when I installed this tool, I had to install pywin32 too, which was not listed as a requirement.


Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)


Diary Archives