Open J0xA0 opened 3 years ago
Thanks a lot for reporting this. MRaptor is designed to analyse VBA macros, but XLM macros are quite different and cannot always be detected as malicious because they can be obfuscated more than VBA (emulation is often required to really see what it does). I'll have a look if this XLM macro contains other keywords that could be detected by mraptor, but for now I don't see any in the output above.
Affected tool: mraptor
Describe the bug mraptor is not able to identify the macro of an XLS file as suspicious.
File/Malware sample to reproduce the bug doc_8650.zip Password: infected SHA256 486ac850901637cb0b0d80497df8c36ff9a83b1ba018bd6af635c93346d6f200 doc_8650.xls
How To Reproduce the bug The file is a Microsoft Excel OLE type. When analysed via olevba it returns the following information:
But mraptor consideres the file as not having suspicious macros:
Expected behavior The expected behaviour would be for mraptor to consider the macro as suspicious.
Version information:
Additional context Report in VT https://www.virustotal.com/gui/file/486ac850901637cb0b0d80497df8c36ff9a83b1ba018bd6af635c93346d6f200/detection