Error- unpack requires a buffer of 16 bytes

[milindsolage]

Trying to execute this on a sample onenote file and it errors out. self.uintMagic, self.FileNodeListID, self.nFragmentSequence = struct.unpack('<8sII', file.read(16)) struct.error: unpack requires a buffer of 16 bytes

OS- Windows2019 with latest version of Python.

[DissectMalware]

Can you share the file with me? without the file I am not able to debug and see what the problem is.

If it is on VT or any other public repository you can just give me the sha256...

You can also DM me on Twitter if you do not want to share the details here

https://twitter.com/DissectMalware

[milindsolage]

1) This is not on VT, just a random onenote file. This was just a very large One note file with size ~134MB size. Has multiple word docs, ppts and other files embedded in it. Unfortunately, I cannot share this file. 2) Tried couple of other small one note files a) with word doc and excel embedded and it emitted the png screenshot and the actual doc and excel file in it. b) when there are no embedded files, it does not emit anything in output. 3) The output is always verbose. Consider adding /v flag to not output verbose. 4) Consider adding an output log file with json format to be able to parse the output programmatically. And add exit codes to determine success\error while unpacking.

[DissectMalware]

Make sense as I have not covered all filenode types. If the program cannot parse a filenode, it might result in jumping to a location in file that does not exist so read function returns zero bytes instead of 16 for example.

regarding other points, I will try to address them in next PR.

[Matmaus]

Hi, this sample is raising the same exception. Maybe it could help.

[DissectMalware]

Thank you for sharing the sample, will check soon