Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OLEVBA VBA Stomping Error #529

Open
agithubuserlol opened this issue Jan 27, 2020 · 1 comment
Open

OLEVBA VBA Stomping Error #529

agithubuserlol opened this issue Jan 27, 2020 · 1 comment
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.55

Comments

@agithubuserlol
Copy link

agithubuserlol commented Jan 27, 2020
edited
Loading

Affected tool:
olevba

Describe the bug

Running olevba on this file yields an error in PCODE extraction wherein the tool tries to access a file it cannot find. A workaround is to simply extract the file before executing olevba, which results in successful extraction of PCODE.

Additionally, running olevba with loglevel debug yields the expected PCODE.

File/Malware sample to reproduce the bug
Sample: https://www.virustotal.com/gui/file/7631858874171fe3d76b954d5f8d7c458472a35907f6085cf6ab5e380ca418cd/detection

(Will attach as well, zip password is "threat")
How To Reproduce the bug

Run:
olevba [samplename]

Result:
Mac:

[Errno 2] No such file or directory: 'word\vbaProject.bin'.

Windows:

Error: [Errno 2] No such file or directory: 'word/vbaProject.bin'.

Run:
7z [samplename]
olevba [samplename]

Result:
correct output here, including full pcodedmp

Expected behavior
olevba [samplenamehere] results in full PCODE dump for stomped sample instead of shell error regarding missing file.

Version information:

  • OS: Mac
  • OS version: 10.14.6
  • Python version: 2.7/3.6 - 32/64 bits -> Both!
  • oletools version: 0.55.1

Also confirmed on Windows, same Python/oletools versions.

Additional context
I think this is due to the file being OOXML XML format. But OLETOOLS is a huge project and I have not been able to identify where in the code this issue exists.
@agithubuserlol
Copy link
Author

agithubuserlol commented Jan 27, 2020
edited
Loading

Sample:

7631858874171fe3d76b954d5f8d7c458472a35907f6085cf6ab5e380ca418cd.zip

@decalage2 decalage2 self-assigned this Jan 27, 2020
@decalage2 decalage2 added this to the oletools 0.55 milestone Jan 27, 2020
decalage2 added a commit that referenced this issue Feb 23, 2020
@decalage2
olevba: slight changes to VBA stomping detection (related to issues #456
8526b4f 
, #529, #534 - not fixed yet)
c-rosenberg pushed a commit to HeinleinSupport/oletools that referenced this issue Sep 16, 2020
@decalage2 @c-rosenberg
olevba: slight changes to VBA stomping detection (related to issues d…
958971a 
…ecalage2#456, decalage2#529, decalage2#534 - not fixed yet)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.55
Development

No branches or pull requests
2 participants
@decalage2 @agithubuserlol