Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Macro detection issues #837

Open
tstallings opened this issue Jan 12, 2024 · 2 comments
Open

Macro detection issues #837

tstallings opened this issue Jan 12, 2024 · 2 comments

Comments

@tstallings
Copy link

tstallings commented Jan 12, 2024

Affected tool:
olevba and mraptor

Describe the bug
XLM macro detection incorrectly reports that no macros are found

File/Malware sample to reproduce the bug
test_xls.zip
password: infected

How To Reproduce the bug
olevba:

olevba 0.60.1 on Python 3.10.12 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:-AS-HB-- tests/data/test.xls

(Flags: OpX=OpenXML, XML=Word2003XML, FlX=FlatOPC XML, MHT=MHTML, TXT=Text, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

mraptor:

MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File
----------+-----+----+--------------------------------------------------------
No Macro  |     |OLE:|tests/data/test.xls

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 0 - No Macro

root@fd43fff22f08:/opt/malware_analysis_tools# poetry run python -m pip show oletools
Name: oletools
Version: 0.60.1
Summary: Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR
Home-page: http://www.decalage.info/python/oletools
Author: Philippe Lagadec
Author-email: [email protected]
License: BSD
Location: /root/.cache/pypoetry/virtualenvs/malware-analysis-tools-J26q8sQT-py3.10/lib/python3.10/site-packages
Requires: colorclass, easygui, msoffcrypto-tool, olefile, pcodedmp, pyparsing
Required-by: malware-analysis-tools

Expected behavior
Note the M in the output from olevba 0.56.2

olevba 0.56.2 on Python 3.10.12 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MAS-HB-- tests/data/test.xls

(Flags: OpX=OpenXML, XML=Word2003XML, FlX=FlatOPC XML, MHT=MHTML, TXT=Text, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

mraptor output:

MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|A-X  |OLE:|tests/data/test.xls

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS

Additional context
The olevba triage output is incorrect because of a missing boolean check around here
The missing check is:

if self.contains_xlm_macros: macros = 'M'

This missing check might be present in other parts of the output logic, but I didn't check.

The mraptor bug is caused by the code here
It appears that macro logic was split into two functions - one for XLM and one for VBA. There was a wrapper function created to run both checks, but mraptor didn't get updated to call the new wrapper function:

if vba_parser.detect_macros():
@decalage2
Copy link
Owner

Thanks a lot for reporting this. Indeed there is a confusion between VBA and XLM macros in the tools, as XLM detection was added later on, and not all the tools/modes handle it properly.
MRaptor is currently only meant for VBA macros. I'm not sure the current regexes would match all the necessary keywords for XLM macros. I need to make some tests to check if it could be easily updated to support XLM, or if not improve the output to make it clear that it's only for VBA.

@tstallings
Copy link
Author

Oh neat, I never realized mraptor wasn't supposed to be looking for XLM macros 😅 Even if the covereage isn't perfect, I still appreciate that it can detect some XLM things!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants