You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result |Flags|Type|File
----------+-----+----+--------------------------------------------------------
No Macro | |OLE:|tests/data/test.xls
Flags: A=AutoExec, W=Write, X=Execute
Exit code: 0 - No Macro
root@fd43fff22f08:/opt/malware_analysis_tools# poetry run python -m pip show oletools
Name: oletools
Version: 0.60.1
Summary: Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR
Home-page: http://www.decalage.info/python/oletools
Author: Philippe Lagadec
Author-email: [email protected]
License: BSD
Location: /root/.cache/pypoetry/virtualenvs/malware-analysis-tools-J26q8sQT-py3.10/lib/python3.10/site-packages
Requires: colorclass, easygui, msoffcrypto-tool, olefile, pcodedmp, pyparsing
Required-by: malware-analysis-tools
Expected behavior
Note the M in the output from olevba 0.56.2
MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result |Flags|Type|File
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|A-X |OLE:|tests/data/test.xls
Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS
Additional context
The olevba triage output is incorrect because of a missing boolean check around here
The missing check is:
ifself.contains_xlm_macros: macros='M'
This missing check might be present in other parts of the output logic, but I didn't check.
The mraptor bug is caused by the code here
It appears that macro logic was split into two functions - one for XLM and one for VBA. There was a wrapper function created to run both checks, but mraptor didn't get updated to call the new wrapper function:
ifvba_parser.detect_macros():
The text was updated successfully, but these errors were encountered:
Thanks a lot for reporting this. Indeed there is a confusion between VBA and XLM macros in the tools, as XLM detection was added later on, and not all the tools/modes handle it properly.
MRaptor is currently only meant for VBA macros. I'm not sure the current regexes would match all the necessary keywords for XLM macros. I need to make some tests to check if it could be easily updated to support XLM, or if not improve the output to make it clear that it's only for VBA.
Oh neat, I never realized mraptor wasn't supposed to be looking for XLM macros 😅 Even if the covereage isn't perfect, I still appreciate that it can detect some XLM things!
Affected tool:
olevba and mraptor
Describe the bug
XLM macro detection incorrectly reports that no macros are found
File/Malware sample to reproduce the bug
test_xls.zip
password: infected
How To Reproduce the bug
olevba:
mraptor:
Expected behavior
Note the
M
in the output from olevba 0.56.2mraptor output:
Additional context
The olevba triage output is incorrect because of a missing boolean check around here
The missing check is:
This missing check might be present in other parts of the output logic, but I didn't check.
The mraptor bug is caused by the code here
It appears that macro logic was split into two functions - one for XLM and one for VBA. There was a wrapper function created to run both checks, but mraptor didn't get updated to call the new wrapper function:
The text was updated successfully, but these errors were encountered: