Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

olevba should display the p-code when VBA stomping is detected #456

Open
decalage2 opened this issue Jun 24, 2019 · 0 comments
Open

olevba should display the p-code when VBA stomping is detected #456

decalage2 opened this issue Jun 24, 2019 · 0 comments
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.55

Comments

@decalage2
Copy link
Owner

This does not seem to work with this sample (VBA stomping is detected, but p-code is only showed when using option --pcode):
https://app.any.run/tasks/7387f0ae-f5b2-4624-a873-972e75bd7dcb/

Ref: https://twitter.com/DissectMalware/status/1142979828339150850

Moreover there is an error message about vbaProject.bin, so it looks like there is a bug with docm files:

olevba 0.55.dev2 on Python 3.7.2 - http://decalage.info/python/oletools
===============================================================================
FILE: 8a5b9307ed6c70ebaa441c0cafb4411f0f9b442ff2770316786542ac847e8b9d
Type: OpenXML
Error: [Errno 2] No such file or directory: 'word/vbaProject.bin'.
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Option Explicit

Public Sub FileSaveAs()
    modJordanExcel.SaveAs ActiveDocument
End Sub
Public Sub FileSave()
    modJordanExcel.Save ActiveDocument
End Sub
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|VBA Stomping        |VBA Stomping was detected: the VBA source    |
|          |                    |code and P-code are different, this may have |
|          |                    |been used to hide malicious code             |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues
@decalage2 decalage2 added this to the oletools 0.55 milestone Jun 24, 2019
@decalage2 decalage2 self-assigned this Jun 24, 2019
Maijin pushed a commit to Maijin/oletools that referenced this issue Jul 10, 2019
Display the p-code automatically when VBA stomping is detected Fix de…
f2bf431 
…calage2#456
@decalage2 decalage2 mentioned this issue Feb 9, 2020
Open
decalage2 added a commit that referenced this issue Feb 23, 2020
@decalage2
olevba: slight changes to VBA stomping detection (related to issues #456
8526b4f 
, #529, #534 - not fixed yet)
c-rosenberg pushed a commit to HeinleinSupport/oletools that referenced this issue Sep 16, 2020
@decalage2 @c-rosenberg
olevba: slight changes to VBA stomping detection (related to issues d…
958971a 
…ecalage2#456, decalage2#529, decalage2#534 - not fixed yet)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.55
Development

No branches or pull requests
1 participant
@decalage2