Open rsaccani opened 4 years ago
Thanks for reporting this sample. There are several issues that make mraptor miss it:
Just found another sample. It's similar but not encrypted. sample2.zip
commit 93688d908d4a382c1a2ffd939830ba5cae614b02 is not working for me:
python3 ~/git/oletools/oletools/mraptor.py -l debug Michael\ Smith.xls
MacroRaptor 0.56dev5 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result |Flags|Type|File
----------+-----+----+--------------------------------------------------------
Macro OK |--- |OLE:|Michael Smith.xls
Flags: A=AutoExec, W=Write, X=Execute
Exit code: 2 - Macro OK
I expected to get an X. Am I wrong? Thanks
Affected tool: tested with mraptor
Describe the bug This sample is detected as "Macro OK" by mraptor.
File/Malware sample to reproduce the bug zample.zip Also: https://www.hybrid-analysis.com/sample/2bde927f70e5eab71bcc40c35edda033547150c5a2b055080abbc668d23955a4 https://www.virustotal.com/gui/file/2bde927f70e5eab71bcc40c35edda033547150c5a2b055080abbc668d23955a4/detection
How To Reproduce the bug python3 ~/git/oletools/oletools/mraptor.py Michael\ Smith.xls
Expected behavior Dected as suspicious
Console output / Screenshots ----------+-----+----+-------------------------------------------------------- Result |Flags|Type|File
----------+-----+----+-------------------------------------------------------- Macro OK |--- |OLE:|Michael Smith.xls
Version information:
Additional context