nvdp01/extract_eval_vba_userform_vars.py

## extract_eval_vba_userform_vars.py
# Sample wrapper around oletools.oleform.extract_OleFormVariables() to extract VBA userform field values from an Office file and evaluate VBA expressions which use the values
# Code released in public domain by @ItsNavdeep with no warranty and no rights

import olefile
import oletools
from oletools import oleform
from dotmap import DotMap
import re
import sys

inputfile = olefile.OleFileIO(sys.argv[1])

streams = inputfile.listdir(streams=True, storages=False)

fStreams = []

for stream in streams:
	# Only extract /f streams which are not /i[n] substreams. /i[n] substreams are handled in updated oleform
	if stream[0] == 'Macros' and stream[-1] == 'f' and re.search("^i[0-9]{2,}",stream[-2]) == None:
		fStreams.append(stream[:-1])

streamDict = {}

for fStream in fStreams:
	vars = oletools.oleform.extract_OleFormVariables(inputfile,['/'.join(fStream)])
	if(vars):
	# Write extracted variables in each stream to a separate file
	# 	outfilename = '_'.join(fStream[1:])
	# 	outFile = open(outfilename, "w")
	# 	for var in vars:
	# 		outFile.write("%s\n" % var)
	# 	outFile.close()
		varDict = {}
		for var in vars:
			if var['name']:
				varDict[var['name'].decode('ascii')] = var
		streamDict['.'.join(fStream[1:])] = varDict

# Use DotMap to reduce Regex effort below
dotStreamDict = DotMap(streamDict)

# vba expressions used in macro in SHA256:303bc0f4742c61166d05f7a14a25b3c118fa3ba04298b8370071b4ed19f1a987
vba_expressions = ['vbFrmeFtIzEB1911.imgtGIgB1375.Tag & StrReverse(vbFrmmyqVySwU1696.chkvbQB3300.ControlTipText) & StrReverse(vbFrmmyqVySwU1696.cmbQYFO1911.ControlTipText) & vbFrmrbYH1375.cmboIfJ1696.ControlTipText & vbFrmrbYH1375.txtlApBCAnI1967.Tag & vbFrmeFtIzEB1911.scrolldylOc788.ControlTipText & StrReverse(vbFrmeFtIzEB1911.opbtnDiUScM4213.Tag) & StrReverse(vbFrmeFtIzEB1911.lblCLgNb715.Caption) & StrReverse(vbFrmmyqVySwU1696.btnpfMTzd3022.Caption) & vbFrmEKCqjDo3300.togbtnRMpW2477.ControlTipText & vbFrmeFtIzEB1911.framefnxgH4936.Caption & vbFrmmyqVySwU1696.chkqOodU3558.Tag & StrReverse(vbFrmeFtIzEB1911.tabyABIMhsl4761.ControlTipText)',
		'vbFrmrbYH1375.lstIPCDwe4044.ControlTipText & vbFrmEKCqjDo3300.chksuczBhLg4839.ControlTipText & vbFrmrbYH1375.btnefHs3456.Caption & vbFrmeFtIzEB1911.btnyAYfzOPM1459.Caption & StrReverse(vbFrmEKCqjDo3300.tabypJBojnP781.Tag) & StrReverse(vbFrmrbYH1375.lstWpzN3431.ControlTipText) & vbFrmEKCqjDo3300.spinbtnCnRVRr4161.Tag & StrReverse(vbFrmrbYH1375.txtzvtn900.Text) & vbFrmeFtIzEB1911.opbtnrEitNob1060.Tag & StrReverse(vbFrmeFtIzEB1911.opbtnKYfcJ1457.ControlTipText) & StrReverse(vbFrmrbYH1375.frameSccF1623.Caption) & StrReverse(vbFrmmyqVySwU1696.btnztNiwa4658.Caption) & StrReverse(vbFrmeFtIzEB1911.imgoYaQWA3714.ControlTipText) & StrReverse(vbFrmEKCqjDo3300.txtFwXWP1152.Text) & vbFrmeFtIzEB1911.spinbtnTqXMQ502.ControlTipText & StrReverse(vbFrmrbYH1375.cmbcIckRPVX4483.ControlTipText) & vbFrmEKCqjDo3300.imgvbYrcjk4353.ControlTipText & StrReverse(vbFrmmyqVySwU1696.lstJwfY2169.Tag) & vbFrmrbYH1375.cmbgKbDzKMo1674.Tag',
		'vbFrmeFtIzEB1911.txtSoJFPorZ4665.ControlTipText & StrReverse(vbFrmEKCqjDo3300.chkYyJaOna1624.ControlTipText) & vbFrmrbYH1375.tabQrcZbT4888.ControlTipText & StrReverse(vbFrmmyqVySwU1696.togbtnAVMwFuXd2923.ControlTipText) & vbFrmeFtIzEB1911.pagePvVRdf4072.Tag & StrReverse(vbFrmeFtIzEB1911.chktuBdkgmL841.Caption)',
		'vbFrmeFtIzEB1911.tabYguLPmov204.ControlTipText & StrReverse(vbFrmmyqVySwU1696.txtcFzq1014.ControlTipText) & vbFrmeFtIzEB1911.lstoxxvFwq1138.ControlTipText',
		'StrReverse(vbFrmrbYH1375.cmbDfRjmnW77.Tag) & StrReverse(vbFrmeFtIzEB1911.spinbtndGEP2895.ControlTipText) & StrReverse(vbFrmrbYH1375.spinbtnGNMTWTSy3461.Tag) & vbFrmmyqVySwU1696.lblOFCUL4049.ControlTipText',
		'vbFrmmyqVySwU1696.lstalzTm114.ControlTipText & vbFrmEKCqjDo3300.lstwCGFrNLY1903.Tag',
		'vbFrmeFtIzEB1911.spinbtnMXeL2931.ControlTipText & vbFrmEKCqjDo3300.cmbTfoZAx4164.Tag & vbFrmrbYH1375.tabSSaKDcdc3851.Tag',
		'StrReverse(vbFrmeFtIzEB1911.lstTnvwvLw1618.ControlTipText) & vbFrmmyqVySwU1696.opbtnJEnyrnTJ4655.Tag & StrReverse(vbFrmEKCqjDo3300.cmbEIstEpJ4441.ControlTipText) & vbFrmeFtIzEB1911.btnKiUZMVSG1840.Caption & vbFrmrbYH1375.txtdSZFohR4742.ControlTipText & vbFrmEKCqjDo3300.chkvhPxqy238.ControlTipText & StrReverse(vbFrmeFtIzEB1911.cmbdfFlHT3673.Tag) & StrReverse(vbFrmeFtIzEB1911.btnbKYvus2265.Caption) & vbFrmmyqVySwU1696.chkGrAT4969.Caption & vbFrmEKCqjDo3300.cmbEKNPVeI3323.Text & vbFrmrbYH1375.tabAaRgqZPo3691.ControlTipText & vbFrmEKCqjDo3300.opbtngSZen784.ControlTipText & vbFrmeFtIzEB1911.scrollKfOht2985.Tag & StrReverse(vbFrmrbYH1375.chkDoDydx3856.Caption) & StrReverse(vbFrmrbYH1375.cmbiymBSWaf1306.Text) & vbFrmrbYH1375.tabWshCG1537.ControlTipText & vbFrmmyqVySwU1696.togbtnkkWYGa4110.Caption & StrReverse(vbFrmrbYH1375.cmbikWTTdwM117.Text) & StrReverse(vbFrmmyqVySwU1696.tabyAeEx3574.ControlTipText) & vbFrmmyqVySwU1696.txtVYanqY2094.Tag'
]

py_expressions = []
evaluated_data = []

for i in range(len(vba_expressions)):
	py_expressions.insert(i, vba_expressions[i] + ' ')
	py_expressions[i] = re.sub("&", "+", py_expressions[i])
	py_expressions[i] = re.sub(r"\.Tag(\W)", r".tag\1", py_expressions[i])
	py_expressions[i] = re.sub(r"\.ControlTipText(\W)", r".control_tip_text\1", py_expressions[i])
	py_expressions[i] = re.sub(r"\.Caption(\W)", r".caption\1", py_expressions[i])
	py_expressions[i] = re.sub(r"\.Text(\W)", r".value\1", py_expressions[i])
	py_expressions[i] = re.sub(r"StrReverse(\(.*?\))", r"\1[::-1]", py_expressions[i])
	py_expressions[i] = re.sub(r"([\w\.]{2,})", r"dotStreamDict.\1", py_expressions[i])

	evaluated_data.insert(i,eval(py_expressions[i]))

hex_string = evaluated_data[0] + evaluated_data[1] + evaluated_data[2]
outfilename = 'JZinoDZniU6'
outFile = open(outfilename, "wb")
outFile.write(hex_string)
outFile.close()

for i in range (3,len(evaluated_data)):
	print(evaluated_data[i].decode('ascii'))

inputfile.close()
	# Sample wrapper around oletools.oleform.extract_OleFormVariables() to extract VBA userform field values from an Office file and evaluate VBA expressions which use the values
	# Code released in public domain by @ItsNavdeep with no warranty and no rights

	import olefile
	import oletools
	from oletools import oleform
	from dotmap import DotMap
	import re
	import sys

	inputfile = olefile.OleFileIO(sys.argv[1])

	streams = inputfile.listdir(streams=True, storages=False)

	fStreams = []

	for stream in streams:
	# Only extract /f streams which are not /i[n] substreams. /i[n] substreams are handled in updated oleform
	if stream[0] == 'Macros' and stream[-1] == 'f' and re.search("^i[0-9]{2,}",stream[-2]) == None:
	fStreams.append(stream[:-1])

	streamDict = {}

	for fStream in fStreams:
	vars = oletools.oleform.extract_OleFormVariables(inputfile,['/'.join(fStream)])
	if(vars):
	# Write extracted variables in each stream to a separate file
	# outfilename = '_'.join(fStream[1:])
	# outFile = open(outfilename, "w")
	# for var in vars:
	# outFile.write("%s\n" % var)
	# outFile.close()
	varDict = {}
	for var in vars:
	if var['name']:
	varDict[var['name'].decode('ascii')] = var
	streamDict['.'.join(fStream[1:])] = varDict

	# Use DotMap to reduce Regex effort below
	dotStreamDict = DotMap(streamDict)

	# vba expressions used in macro in SHA256:303bc0f4742c61166d05f7a14a25b3c118fa3ba04298b8370071b4ed19f1a987
	vba_expressions = ['vbFrmeFtIzEB1911.imgtGIgB1375.Tag & StrReverse(vbFrmmyqVySwU1696.chkvbQB3300.ControlTipText) & StrReverse(vbFrmmyqVySwU1696.cmbQYFO1911.ControlTipText) & vbFrmrbYH1375.cmboIfJ1696.ControlTipText & vbFrmrbYH1375.txtlApBCAnI1967.Tag & vbFrmeFtIzEB1911.scrolldylOc788.ControlTipText & StrReverse(vbFrmeFtIzEB1911.opbtnDiUScM4213.Tag) & StrReverse(vbFrmeFtIzEB1911.lblCLgNb715.Caption) & StrReverse(vbFrmmyqVySwU1696.btnpfMTzd3022.Caption) & vbFrmEKCqjDo3300.togbtnRMpW2477.ControlTipText & vbFrmeFtIzEB1911.framefnxgH4936.Caption & vbFrmmyqVySwU1696.chkqOodU3558.Tag & StrReverse(vbFrmeFtIzEB1911.tabyABIMhsl4761.ControlTipText)',
	'vbFrmrbYH1375.lstIPCDwe4044.ControlTipText & vbFrmEKCqjDo3300.chksuczBhLg4839.ControlTipText & vbFrmrbYH1375.btnefHs3456.Caption & vbFrmeFtIzEB1911.btnyAYfzOPM1459.Caption & StrReverse(vbFrmEKCqjDo3300.tabypJBojnP781.Tag) & StrReverse(vbFrmrbYH1375.lstWpzN3431.ControlTipText) & vbFrmEKCqjDo3300.spinbtnCnRVRr4161.Tag & StrReverse(vbFrmrbYH1375.txtzvtn900.Text) & vbFrmeFtIzEB1911.opbtnrEitNob1060.Tag & StrReverse(vbFrmeFtIzEB1911.opbtnKYfcJ1457.ControlTipText) & StrReverse(vbFrmrbYH1375.frameSccF1623.Caption) & StrReverse(vbFrmmyqVySwU1696.btnztNiwa4658.Caption) & StrReverse(vbFrmeFtIzEB1911.imgoYaQWA3714.ControlTipText) & StrReverse(vbFrmEKCqjDo3300.txtFwXWP1152.Text) & vbFrmeFtIzEB1911.spinbtnTqXMQ502.ControlTipText & StrReverse(vbFrmrbYH1375.cmbcIckRPVX4483.ControlTipText) & vbFrmEKCqjDo3300.imgvbYrcjk4353.ControlTipText & StrReverse(vbFrmmyqVySwU1696.lstJwfY2169.Tag) & vbFrmrbYH1375.cmbgKbDzKMo1674.Tag',
	'vbFrmeFtIzEB1911.txtSoJFPorZ4665.ControlTipText & StrReverse(vbFrmEKCqjDo3300.chkYyJaOna1624.ControlTipText) & vbFrmrbYH1375.tabQrcZbT4888.ControlTipText & StrReverse(vbFrmmyqVySwU1696.togbtnAVMwFuXd2923.ControlTipText) & vbFrmeFtIzEB1911.pagePvVRdf4072.Tag & StrReverse(vbFrmeFtIzEB1911.chktuBdkgmL841.Caption)',
	'vbFrmeFtIzEB1911.tabYguLPmov204.ControlTipText & StrReverse(vbFrmmyqVySwU1696.txtcFzq1014.ControlTipText) & vbFrmeFtIzEB1911.lstoxxvFwq1138.ControlTipText',
	'StrReverse(vbFrmrbYH1375.cmbDfRjmnW77.Tag) & StrReverse(vbFrmeFtIzEB1911.spinbtndGEP2895.ControlTipText) & StrReverse(vbFrmrbYH1375.spinbtnGNMTWTSy3461.Tag) & vbFrmmyqVySwU1696.lblOFCUL4049.ControlTipText',
	'vbFrmmyqVySwU1696.lstalzTm114.ControlTipText & vbFrmEKCqjDo3300.lstwCGFrNLY1903.Tag',
	'vbFrmeFtIzEB1911.spinbtnMXeL2931.ControlTipText & vbFrmEKCqjDo3300.cmbTfoZAx4164.Tag & vbFrmrbYH1375.tabSSaKDcdc3851.Tag',
	'StrReverse(vbFrmeFtIzEB1911.lstTnvwvLw1618.ControlTipText) & vbFrmmyqVySwU1696.opbtnJEnyrnTJ4655.Tag & StrReverse(vbFrmEKCqjDo3300.cmbEIstEpJ4441.ControlTipText) & vbFrmeFtIzEB1911.btnKiUZMVSG1840.Caption & vbFrmrbYH1375.txtdSZFohR4742.ControlTipText & vbFrmEKCqjDo3300.chkvhPxqy238.ControlTipText & StrReverse(vbFrmeFtIzEB1911.cmbdfFlHT3673.Tag) & StrReverse(vbFrmeFtIzEB1911.btnbKYvus2265.Caption) & vbFrmmyqVySwU1696.chkGrAT4969.Caption & vbFrmEKCqjDo3300.cmbEKNPVeI3323.Text & vbFrmrbYH1375.tabAaRgqZPo3691.ControlTipText & vbFrmEKCqjDo3300.opbtngSZen784.ControlTipText & vbFrmeFtIzEB1911.scrollKfOht2985.Tag & StrReverse(vbFrmrbYH1375.chkDoDydx3856.Caption) & StrReverse(vbFrmrbYH1375.cmbiymBSWaf1306.Text) & vbFrmrbYH1375.tabWshCG1537.ControlTipText & vbFrmmyqVySwU1696.togbtnkkWYGa4110.Caption & StrReverse(vbFrmrbYH1375.cmbikWTTdwM117.Text) & StrReverse(vbFrmmyqVySwU1696.tabyAeEx3574.ControlTipText) & vbFrmmyqVySwU1696.txtVYanqY2094.Tag'
	]

	py_expressions = []
	evaluated_data = []

	for i in range(len(vba_expressions)):
	py_expressions.insert(i, vba_expressions[i] + ' ')
	py_expressions[i] = re.sub("&", "+", py_expressions[i])
	py_expressions[i] = re.sub(r"\.Tag(\W)", r".tag\1", py_expressions[i])
	py_expressions[i] = re.sub(r"\.ControlTipText(\W)", r".control_tip_text\1", py_expressions[i])
	py_expressions[i] = re.sub(r"\.Caption(\W)", r".caption\1", py_expressions[i])
	py_expressions[i] = re.sub(r"\.Text(\W)", r".value\1", py_expressions[i])
	py_expressions[i] = re.sub(r"StrReverse(\(.*?\))", r"\1[::-1]", py_expressions[i])
	py_expressions[i] = re.sub(r"([\w\.]{2,})", r"dotStreamDict.\1", py_expressions[i])

	evaluated_data.insert(i,eval(py_expressions[i]))

	hex_string = evaluated_data[0] + evaluated_data[1] + evaluated_data[2]
	outfilename = 'JZinoDZniU6'
	outFile = open(outfilename, "wb")
	outFile.write(hex_string)
	outFile.close()

	for i in range (3,len(evaluated_data)):
	print(evaluated_data[i].decode('ascii'))

	inputfile.close()