Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Excel 4 Macro Analysis: XLMMacroDeobfuscator - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Excel 4 Macro Analysis: XLMMacroDeobfuscator

Malicious Excel 4 macro documents become more prevalent. They are so obfuscated now, that analysis requires calculations of many formulas.

It's good to see that new analysis tools are being developed, like XLMMacroDeobfuscator.

Here is an example of a malicious Excel 4 macro document, analyzed with my tools:

We can see the calls, but not the actual values of the arguments: these require many formula calculations to recover IOCs like URLs.

This is what XLMMacroDeobfuscator tries to do: it's a free, open-source Python tool that tries to deobfuscate Excel 4 macros. For this sample, the tool was able to debofuscate the URL and filename.

Early versions of XLMMacroDeobfuscator required Excel, but the last version can also operate without Excel.

Remark that when I installed this tool, I had to install pywin32 too, which was not listed as a requirement.


Didier Stevens
Senior handler
Microsoft MVP


649 Posts
ISC Handler
May 11th 2020

Sign Up for Free or Log In to start participating in the conversation!