Skip to content

Instantly share code, notes, and snippets.

Last active January 18, 2022 15:18
What would you like to do?
VBA deobfuscation - Emotet XLSM
from oletools.olevba import VBA_Parser, TYPE_OLE, TYPE_OpenXML, TYPE_Word2003_XML, TYPE_MHTML
import sys
import re
vbaparser = VBA_Parser(sys.argv[1])
replace_regex = r"\s*([^=]+)\s*=\s*Replace\(\s*([^,]+)\s*,\s*\"([^,]*)\"\s*,\s*\"([^,]*)\"\s*\)"
replace = re.compile(replace_regex, re.MULTILINE)
regex_url = "http(s)?://[^,\"]+"
url = re.compile(regex_url, re.MULTILINE)
if vbaparser.detect_vba_macros():
urls = []
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
vba_code = vba_code.replace("_\r\n", "")
match =
if match:
var_name =
str_name =
old_val =
new_val =
sentences =[]
for sentence in vba_code.split("\r\n"):
if str_name in sentence:
sentence = sentence.replace(old_val, new_val)
deobfuscated_code = '\r\n'.join(sentences)
url_iter = url.finditer(deobfuscated_code)
for url_match in url_iter:
print("\r\n[ORIGINAL URLS]")
for url in urls:
# defanged urls
print("\r\n[DEFANGED URLS]")
for url in urls:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment