Open CanIPhish opened 4 years ago
1, While running olevba.py script getting above error and using updated oletools version , is the fix available ?
or any way to fix this issue ?
Hi, the hex strings detection is not perfect and it can often trigger false positives when there are large numbers somewhere in the code. Quite often, this is due to numbers that appear in the VBA attributes at the beginning of a macro, and those attributes are hidden by default. Please run this command to confirm if this is the case:
olevba --attr --decode <your file>
--attr --decode
Thanks for your reply , as I have created simple macro enabled file and output below as requested.
Any update on this issue @decalage2?
I am receiving the same output. In addition, the Base64 decoding incorrectly shows the sheet name as suspicious.
Version information: OS: Ubuntu OS Version: 22.04.3 LTS Python version: 3.10.12 oletools version: 0.60.1
Affected tool: olevba
Describe the bug olevba flags excel macro-enabled documents (.xls & .xlsm) as containing suspicious hex strings and suspicious keywords on any document scanned - using olevba 0.55.dev3 or 0.54.2 on Python 3.7.4
How To Reproduce the bug
Create an excel macro with nothing other than the below function: Private Sub Workbook_Open() MsgBox "This is fun" End Sub
Run olevba '--decode' shows the Hex Strings being flagged, '--triage' shows Hex Strings and Suspicious Keywords being flagged olevba --decode
olevba --triage
Console output / Screenshots
Version information: