Malicious sample undetected

[rsaccani]

Affected tool: tested with mraptor

Describe the bug This sample is detected as "Macro OK" by mraptor.

File/Malware sample to reproduce the bug zample.zip Also: https://www.hybrid-analysis.com/sample/2bde927f70e5eab71bcc40c35edda033547150c5a2b055080abbc668d23955a4 https://www.virustotal.com/gui/file/2bde927f70e5eab71bcc40c35edda033547150c5a2b055080abbc668d23955a4/detection

How To Reproduce the bug python3 ~/git/oletools/oletools/mraptor.py Michael\ Smith.xls

Expected behavior Dected as suspicious

Console output / Screenshots ----------+-----+----+-------------------------------------------------------- Result |Flags|Type|File
----------+-----+----+-------------------------------------------------------- Macro OK |--- |OLE:|Michael Smith.xls

Version information:

• OS: Linux
• OS: Ubuntu LTS 64 bits
• Python version: 3.6 - 64 bits
• oletools version: 0.55

Additional context

[decalage2]

Thanks for reporting this sample. There are several issues that make mraptor miss it:

• It contains an XLM / Excel 4 macro, not VBA, and XLM is not as well supported as VBA in mraptor. The macro uses "RUN" and "CALL" formulas, which were not included in the list of keywords detected by mraptor. I added them in the latest dev version and now it works. (but then "run" and "call" may trigger false positives in legit macros...)
• The file is encrypted, with the password "VelvetSweatshop". Normally olevba and mraptor automatically decrypt it because it's a well-known password, but on my Win10 machine the file is decrypted in a temp directory, the antivirus catches it, and mraptor/olevba cannot analyze it (issue #411).

[rsaccani]

Just found another sample. It's similar but not encrypted. sample2.zip

[rsaccani]

commit 93688d908d4a382c1a2ffd939830ba5cae614b02 is not working for me:

python3 ~/git/oletools/oletools/mraptor.py -l debug Michael\ Smith.xls 
MacroRaptor 0.56dev5 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
Macro OK  |---  |OLE:|Michael Smith.xls                                       

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 2 - Macro OK

I expected to get an X. Am I wrong? Thanks