search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.92k stars 562 forks source link

rtfobj+olefile - sample not parsed correctly #158

Open decalage2 opened 7 years ago

decalage2 commented 7 years ago

This sample is parsed without error by rtfobj, but the extracted objects seem to be corrupt: https://virustotal.com/en/file/05081997f1f0d5cee95106de47044dab1fe3f43913288cf409a4bdfa0556a9a7/analysis/

with olevba:

olevba 05081997f1f0d5cee95106de47044dab1fe3f43913288cf409a4bdfa0556a9a7_object_0002E083.doc
olevba 0.51dev3 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
ERROR    Unhandled exception in main: OleFileIO instance has no attribute 'root'
Traceback (most recent call last):
  File "c:\oletools\olevba.py", line 3376, in main
    relaxed=options.relaxed)
  File "c:\oletools\olevba.py", line 2989, in __init__
    super(VBA_Parser_CLI, self).__init__(*args, **kwargs)
  File "c:\oletools\olevba.py", line 2290, in __init__
    self.open_ppt()
  File "c:\oletools\olevba.py", line 2527, in open_ppt
    ppt = ppt_parser.PptParser(self.ole_file, fast_fail=True)
  File "c:\oletools\ppt_parser.py", line 1143, in __init__
    root_streams = self.ole.listdir()
  File "c:\oletools\thirdparty\olefile\olefile.py", line 1945, in listdir
    self._list(files, [], self.root, streams, storages)
AttributeError: OleFileIO instance has no attribute 'root'

with oleid:

oleid 05081997f1f0d5cee95106de47044dab1fe3f43913288cf409a4bdfa0556a9a7_object_0002E083.doc
oleid 0.51 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

Filename: 05081997f1f0d5cee95106de47044dab1fe3f43913288cf409a4bdfa0556a9a7_object_0002E083.doc
Traceback (most recent call last):
  File "C:\Python27\Scripts\oleid-script.py", line 11, in <module>
    load_entry_point('oletools', 'console_scripts', 'oleid')()
  File "c:\oletools\oleid.py", line 304, in main
    indicators = oleid.check()
  File "c:\oletools\oleid.py", line 177, in check
    self.ole = olefile.OleFileIO(self.filename)
  File "c:\oletools\olefile.py", line 1199, in __init__
    self.open(filename, write_mode=write_mode)
  File "c:\oletools\thirdparty\olefile\olefile.py", line 1389, in open
    self._raise_defect(DEFECT_FATAL, "incorrect ByteOrder in OLE header")
  File "c:\oletools\thirdparty\olefile\olefile.py", line 1221, in _raise_defect
    raise exception_type(message)
IOError: incorrect ByteOrder in OLE header
RealLinkers commented 6 years ago

Experiencing the same issue sadly, a fix would be greatly appreciated :)

rammy22 commented 5 years ago

+1