dissectmalware / xlrd2 Goto Github PK
View Code? Open in Web Editor NEWxlrd2 is a variant of xlrd that is actively maintained
License: Apache License 2.0
xlrd2 is a variant of xlrd that is actively maintained
License: Apache License 2.0
Relative address appeared in a formula that resides in another sheet. In this case the address should be considered as absolute:
Sample: https://bazaar.abuse.ch/sample/d25a928416c3614b40c4c57447023f53fa5cc4d4bd5dee5fc68a7e8cbc52d7cb/
You can make a 2x2 table and leave top right cell (B1) blank. Then the first row will have 1 column and the second row will have 2 columns:
Here is a code snippet. You can use xlrd2_bug.zip for your test. (GitHub does not allow attaching xls, so I had to make a zip archive)
import xlrd2
wb = xlrd2.open_workbook('xlrd2_bug.xls')
ws = wb.sheet_by_index(0)
print('ws.nrows:', ws.nrows)
print('ws.ncols:', ws.ncols)
row = ws.row_slice(0)
Output:
ws.nrows: 2
ws.ncols: 2
Traceback (most recent call last):
File "./test_xlrd.py", line 8, in <module>
row = ws.row_slice(0)
File "/usr/local/lib/python3.8/dist-packages/xlrd2/sheet.py", line 555, in row_slice
return [
File "/usr/local/lib/python3.8/dist-packages/xlrd2/sheet.py", line 556, in <listcomp>
self.cell(rowx, colx)
File "/usr/local/lib/python3.8/dist-packages/xlrd2/sheet.py", line 425, in cell
self._cell_formulas[rowx][colx],
IndexError: list index out of range
Reported by @decalage2 on XLMMacroDeobfuscator
"The latest XLMdeobfuscator does not find the entry point in this sample:
https://app.any.run/tasks/bbadb211-fb6c-41e9-9c36-2484b9ea9db8/# (9b1c03b0cca23a94f2d6988c66eb0d246ec2648623765e83dbf20548ac874837)"
Defined name can reference to a cell, int, float, string and array
Currently, xlrd2 cannot parse array value type
f9adf499bc16bfd096e00bc59c3233f022dec20c20440100d56e58610e4aded3
Name:
SbhipD
Value:
b'`\x00\x11\x00\x00\x00\x00\x00\x00\x11\x00\x02\x18\x00\x00PcWs3NqZ8mTrRlTgf23I>K:O\x02\x1f\x00\x00HVo^2gXn7vZ_l]ZaV_1P?6_=CP<E:R;\x02\x1b\x00\x00JjX^HZ_]Mb\\sU]pT]NG??J35QEK\x02\x1b\x00\x00FhYaIQOtAqXqV`qKMe;KBH48R<=\x02\x1e\x00\x00]\\h]GRRu8aoee\\oLPf2;S<XAO;6LCB\x02\x06\x00\x00]ai`G4\x02\x17\x00\x00JxKSt;hXv36L,:PMJ9Y;>C3\x02\x06\x00\x00Gnbq1H\x02"\x00\x00HVo^2HeK@SNEN\\;WE]AH5>Q::PCX:H6>RB\x02\x1e\x00\x00z]5]C{`"(|}|c1k-tp}Ny%*)n/!"},\x02\n\x00\x00x]VbJq3>T3\x02]\x00\x00GdX`RmP;oKWe;<byU%y,6@5W&A1_R@AcK@+Z-3s;@XVR/AF/G\\;VL]AE-HC0\\QJJLW1/\\,0rDQ:bC3CE,FeK@TNEG,)B<\x02\x1f\x00\x00WMdQVoO8nTgNG-`%rs2W<57z\'9nqpUC\x02\x1b\x00\x00FcPSjXONa[Vd3/iUUs\'guA7>Y?3\x02\x00\x00\x00\x02\x1a\x00\x00]W_OhYROXKmXB+4xXxtLlX<5O4\x02\x17\x00\x00JeOPia_7mLZf2,n&g{8-9Q3\x02\x0f\x00\x00G,+/"*Xy$K^w%B2'
Name:
YZJvX
Value:
Convert the following to xls:
1efd860e8367e87cfeb1cd59bfdf022f08bd4cf6411c29fdb514730d2f498018
Traceback (most recent call last):
File "C:\Users\user\Documents\GitHub\xlrd2\test.py", line 6, in <module>
xl_workbook = xlrd2.open_workbook(path, formatting_info=True)
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\__init__.py", line 157, in open_workbook
bk = book.open_workbook_xls(
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\book.py", line 122, in open_workbook_xls
bk.get_sheets()
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\book.py", line 749, in get_sheets
self.get_sheet(sheetno)
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\book.py", line 740, in get_sheet
sh.read(self)
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\sheet.py", line 986, in read
formula = decompile_formula(bk, data[22:], fmlalen, FMLA_TYPE_CELL,
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\formula.py", line 2339, in decompile_formula
res1, res2 = get_cell_range_addr(data, pos+3, bv, reldelta)
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\formula.py", line 962, in get_cell_range_addr
res1 = adjust_cell_addr_biff8(row1val, col1val, reldelta, browx, bcolx)
File "C:\Users\user\Documents\GitHub\xlrd2\xlrd2\formula.py", line 923, in adjust_cell_addr_biff8
rowx -= browx
TypeError: unsupported operand type(s) for -=: 'int' and 'NoneType'
Hello,
tests (and the library) is failing when running on the python3 (3.11.6) and the defusedxml (0.7.1) is present (as this is the preffered xml library by the xlrd2). In defusedxml there is some strange situation where Element_has_iter is evaluated as false, but at the same time there is no getiterator() function.
self = <xlrd2.xlsx.X12Book object at 0x7f676b8b09d0>
stream = <zipfile.ZipExtFile name='xl\\workbook.xml' mode='r' compress_type=deflate>
heading = 'Workbook'
def process_stream(self, stream, heading=None):
if self.verbosity >= 2 and heading is not None:
fprintf(self.logfile, "\n=== %s ===\n", heading)
self.tree = ET.parse(stream)
getmethod = self.tag2meth.get
> for elem in self.tree.iter() if Element_has_iter else self.tree.getiterator():
E AttributeError: 'ElementTree' object has no attribute 'getiterator'
xlrd2/xlsx.py:266: AttributeError
Full log from pytest:
error.txt
Workaround:
use xml.etree.cElementTree as default rather than defusedxml.ElementTree in xlrd2/xlsx.py
When interpreting defined names it is necessary to only consider the first byte of name field if the name is a built-in one.
Some malicious documents, use arbitrary label for built in defined names such as auto_open to evade analysis tools.
example: https://twitter.com/c0ntrol_z/status/1260205314193883136
ref: https://twitter.com/c0ntrol_z/status/1259967792998232073
Hi,
please consider lowering the minimum asserted value for bv in the dump_formular function, as it can in some cases be lower.
Line 2451 in 74cd530
Example:
sha256: 1df68d55968bb9d2db4d0d18155188a03a442850ff543c8595166ac6987df820
with minimum bv=70
There are 2 open issues on https://github.com/DissectMalware/XLMMacroDeobfuscator considering this file and issue:
DissectMalware/XLMMacroDeobfuscator#117
DissectMalware/XLMMacroDeobfuscator#116
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.