search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.42k stars 705 forks source link

sigtool failed to dump vba macro since 0.100.3 onward #601

Closed rzwck closed 3 weeks ago

rzwck commented 2 years ago

beginning on sigtool 0.100.3 onward, it failed to dump vba macro. Last good version to dump vba macro correctly was 0.100.2.

How to reproduce the problem

Tested with version 0.100.2, it dumped the vba macro correctly (md5sum of sample file: 6419474bbbc3fb7844623a633f7b55cf, https://www.virustotal.com/gui/file/354ab7503e644965a0c3ff33fb3de84788d8a9e066d245d5795b3658a40a9ab1/details).

root@94155aa529b1:/work# /tmp/clamav-0.100.2/bin/sigtool --vba ./6419474bbbc3fb7844623a633f7b55cf._mal --debug
LibClamAV debug: Initialized 0.100.2 engine
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug:
LibClamAV debug: Magic:         0xd0cf11e0a1b11ae1
LibClamAV debug: CLSID:         {0000-00-00-00-000000}
LibClamAV debug: Minor version:     0x3e
LibClamAV debug: DLL version:       0x3
LibClamAV debug: Byte Order:        -2
LibClamAV debug: Big Block Size:    9
LibClamAV debug: Small Block Size:  6
LibClamAV debug: BAT count:     5
LibClamAV debug: Prop start:        493
LibClamAV debug: SBAT cutoff:       4096
LibClamAV debug: SBat start:        496
LibClamAV debug: SBat block count:  1
LibClamAV debug: XBat start:        -2
LibClamAV debug: XBat block count:  0
LibClamAV debug:
LibClamAV debug: Max block number: 4424
LibClamAV debug: OLE2: VBA project found
LibClamAV debug: OLE2: root entry  [root]  b   size:0x00000640 flags:0x00000000
LibClamAV debug: OLE2: worddocument  [file]  b   size:0x0000ae2e flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'worddocument' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/126ea3fd0ff7f18c9c5eec0c07398c49_0'
LibClamAV debug: OLE2: _5_documentsummaryinformation  [file]  b   size:0x00001000 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_5_documentsummaryinformation' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/c94e3926fdf7b9e624cba640b87b17a8_0'
LibClamAV debug: OLE2: _5_summaryinformation  [file]  b   size:0x000001a4 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_5_summaryinformation' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/8f77ea59a4794f91b39913db2e55f3fc_0'
LibClamAV debug: OLE2: macros  [dir ]  b   size:0x00000000 flags:0x00000000
LibClamAV debug: OLE2 dir entry: /tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006
LibClamAV debug: OLE2: project  [file]  b   size:0x00000170 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'project' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006/46f86faa6bbf9ac94a7e459509a20ed0_0'
LibClamAV debug: OLE2: projectwm  [file]  r   size:0x00000029 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'projectwm' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006/7fdc011725f5de6d8e10d5fc95398f30_0'
LibClamAV debug: OLE2: vba  [dir ]  r   size:0x00000000 flags:0x00000000
LibClamAV debug: OLE2 dir entry: /tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006/000007
LibClamAV debug: OLE2: thisdocument  [file]  b   size:0x00004968 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'thisdocument' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006/000007/bad8252681321a1d94d0718a0815fac9_0'
LibClamAV debug: OLE2: _vba_project  [file]  r   size:0x000018f5 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_vba_project' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006/000007/ae4f6474bee50ccdf1a6b853ba8ad32a_0'
LibClamAV debug: OLE2: dir  [file]  r   size:0x00000203 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'dir' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/000006/000007/736007832d2167baaae763fd3a3f3cf1_0'
LibClamAV debug: OLE2: _1_compobj  [file]  r   size:0x00000072 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_1_compobj' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/88144fbcb62650fa72c360688f4772c7_0'
LibClamAV debug: OLE2: 1table  [file]  r   size:0x00001cfb flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '1table' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/0e2af3cf7b22050354734d7eb56b80d3_0'
LibClamAV debug: OLE2: data  [file]  b   size:0x0002e208 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'data' to '/tmp/clamav-9082e5ea390cc9a82e586d4b3396ebd9.tmp/8d777f385d3dfec8815d20f7496026dc_0'
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
LibClamAV debug: in cli_vba_readdir()
LibClamAV debug: wm_readdir: No macros detected
LibClamAV debug: in cli_vba_readdir()
LibClamAV debug: in cli_vba_readdir()
LibClamAV debug: read name failed - rewinding
LibClamAV debug: length: 254, name: *\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\progra~1\common~1\micros~1\vba\vba7.1\vbe7.dll#visual basic for applications
LibClamAV debug: offset: 302
LibClamAV debug: middle not found
LibClamAV debug: length: 272, name: *\g{00020905-0000-0000-c000-000000000046}#8.6#0#c:\program files\microsoft office\office15\msword.olb#microsoft word 15.0 object library
LibClamAV debug: offset: 588
LibClamAV debug: middle not found
LibClamAV debug: length: 188, name: *\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\windows\system32\stdole2.tlb#ole automation
LibClamAV debug: offset: 790
LibClamAV debug: middle not found
LibClamAV debug: length: 18, name: *\cnormal
LibClamAV debug: length: 18, name: *\cnormal
LibClamAV debug: read name failed - rewinding
LibClamAV debug: vba_readdir: Guessing little-endian
LibClamAV debug: vba_readdir: VBA Record count 1
LibClamAV debug: vba_readdir: project name: thisdocument (bad8252681321a1d94d0718a0815fac9)
LibClamAV debug: vba_readdir: offset: 13357
LibClamAV debug: blobClose: recovered 2219 bytes from 12288
-------------- start of code ------------------
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
.....
.....
root@9cbdc49bab2e:/work#

Beginning on 0.100.3, it failed to dump vba macro.

root@9cbdc49bab2e:/work# /tmp/clamav-0.100.3/bin/sigtool --vba ./6419474bbbc3fb7844623a633f7b55cf._mal --debug
LibClamAV debug: Initialized 0.100.3 engine
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug:
LibClamAV debug: Magic:         0xd0cf11e0a1b11ae1
LibClamAV debug: CLSID:         {0000-00-00-00-000000}
LibClamAV debug: Minor version:     0x3e
LibClamAV debug: DLL version:       0x3
LibClamAV debug: Byte Order:        -2
LibClamAV debug: Big Block Size:    9
LibClamAV debug: Small Block Size:  6
LibClamAV debug: BAT count:     5
LibClamAV debug: Prop start:        493
LibClamAV debug: SBAT cutoff:       4096
LibClamAV debug: SBat start:        496
LibClamAV debug: SBat block count:  1
LibClamAV debug: XBat start:        -2
LibClamAV debug: XBat block count:  0
LibClamAV debug:
LibClamAV debug: Max block number: 4424
LibClamAV debug: OLE2: VBA project found
LibClamAV debug: OLE2: root entry  [root]  b   size:0x00000640 flags:0x00000000
LibClamAV debug: OLE2: worddocument  [file]  b   size:0x0000ae2e flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'worddocument' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/126ea3fd0ff7f18c9c5eec0c07398c49_1'
LibClamAV debug: OLE2: _5_documentsummaryinformation  [file]  b   size:0x00001000 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_5_documentsummaryinformation' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/c94e3926fdf7b9e624cba640b87b17a8_1'
LibClamAV debug: OLE2: _5_summaryinformation  [file]  b   size:0x000001a4 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_5_summaryinformation' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/8f77ea59a4794f91b39913db2e55f3fc_1'
LibClamAV debug: OLE2: macros  [dir ]  b   size:0x00000000 flags:0x00000000
LibClamAV debug: OLE2 dir entry: /tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006
LibClamAV debug: OLE2: project  [file]  b   size:0x00000170 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'project' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006/46f86faa6bbf9ac94a7e459509a20ed0_1'
LibClamAV debug: OLE2: projectwm  [file]  r   size:0x00000029 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'projectwm' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006/7fdc011725f5de6d8e10d5fc95398f30_1'
LibClamAV debug: OLE2: vba  [dir ]  r   size:0x00000000 flags:0x00000000
LibClamAV debug: OLE2 dir entry: /tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006/000007
LibClamAV debug: OLE2: thisdocument  [file]  b   size:0x00004968 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'thisdocument' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006/000007/bad8252681321a1d94d0718a0815fac9_1'
LibClamAV debug: OLE2: _vba_project  [file]  r   size:0x000018f5 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_vba_project' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006/000007/ae4f6474bee50ccdf1a6b853ba8ad32a_1'
LibClamAV debug: OLE2: dir  [file]  r   size:0x00000203 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'dir' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/000006/000007/736007832d2167baaae763fd3a3f3cf1_1'
LibClamAV debug: OLE2: _1_compobj  [file]  r   size:0x00000072 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '_1_compobj' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/88144fbcb62650fa72c360688f4772c7_1'
LibClamAV debug: OLE2: 1table  [file]  r   size:0x00001cfb flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping '1table' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/0e2af3cf7b22050354734d7eb56b80d3_1'
LibClamAV debug: OLE2: data  [file]  b   size:0x0002e208 flags:0x00000000
LibClamAV debug: OLE2 [handler_writefile]: Dumping 'data' to '/tmp/clamav-9be4e884f5ffb651b8bbedb36dd1fb67.tmp/8d777f385d3dfec8815d20f7496026dc_1'
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
LibClamAV debug: in cli_vba_readdir()
LibClamAV debug: wm_readdir: No macros detected
LibClamAV debug: in cli_vba_readdir()
LibClamAV debug: in cli_vba_readdir()
LibClamAV debug: read name failed - rewinding
LibClamAV debug: length: 254, name: *\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\progra~1\common~1\micros~1\vba\vba7.1\vbe7.dll#visual basic for applications
LibClamAV debug: offset: 302
LibClamAV debug: middle not found
LibClamAV debug: length: 272, name: *\g{00020905-0000-0000-c000-000000000046}#8.6#0#c:\program files\microsoft office\office15\msword.olb#microsoft word 15.0 object library
LibClamAV debug: offset: 588
LibClamAV debug: middle not found
LibClamAV debug: length: 188, name: *\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\windows\system32\stdole2.tlb#ole automation
LibClamAV debug: offset: 790
LibClamAV debug: middle not found
LibClamAV debug: length: 18, name: *\cnormal
LibClamAV debug: length: 18, name: *\cnormal
LibClamAV debug: read name failed - rewinding
LibClamAV debug: vba_readdir: Guessing little-endian
LibClamAV debug: vba_readdir: VBA Record count 1
LibClamAV debug: vba_readdir: project name: thisdocument (bad8252681321a1d94d0718a0815fac9)
LibClamAV debug: vba_readdir: offset: 13357
root@9cbdc49bab2e:/work#

Replace this text with the output from the ClamAV command:

root@9cbdc49bab2e:/work# /tmp/clamav-0.100.3/bin/clamconf -n
Checking configuration files in /tmp/clamav-0.100.3/etc

clamd.conf not found

freshclam.conf not found

clamav-milter.conf not found

Software settings
-----------------
Version: 0.100.3
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV RAR

Database information
--------------------
Database directory: /tmp/clamav-0.100.3/share/clamav
WARNING: freshclam.conf and clamd.conf point to different database directories
print_dbs: Can't open directory /tmp/clamav-0.100.3/share/clamav

Platform information
--------------------
uname: Linux 5.10.47-linuxkit #1 SMP Sat Jul 3 21:51:47 UTC 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.8 (1.2.8), compile flags: a9
platform id: 0x0a215d5d0800000000060300

Build information
-----------------
GNU C: 6.3.0 20170516 (6.3.0)
CPPFLAGS:
CFLAGS: -g -O2 -fno-strict-aliasing  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2
LDFLAGS:
Configure: '--prefix=/tmp/clamav-0.100.3'
sizeof(void*) = 8
Engine flevel: 93, dconf: 93

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.

rzwck commented 3 weeks ago

I have verified this issue was fixed since ClamAV v1.1. Closed this issue.