search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.92k stars 562 forks source link

Regression: mraptor crashes with Python traceback at malicious doc file #660

Open robert-scheck opened 3 years ago

robert-scheck commented 3 years ago

The mraptor-2 command uses Python 2.7, the mraptor-3 uses Python 3.6, both on CentOS 7 (x86_64). The file is indeed the same, and the file still should be treated as malicious, thus this issue seems to be a regression in mraptor introduced somewhen after oletools 0.54.

$ mraptor-2 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc 
MacroRaptor 0.51 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|AWX  |OLE |2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41
          |     |    |286ed812.doc                                            

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS
$ 
$ mraptor-3 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc 
MacroRaptor 0.54 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|AWX  |OLE:|2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41
          |     |    |286ed812.doc                                            

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS
$ 
$ mraptor-3 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc 
MacroRaptor 0.56 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File                                                    
----------+-----+----+--------------------------------------------------------
ERROR     |     |OLE:|2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41
          |     |    |286ed812.doc                                            

Flags: A=AutoExec, W=Write, X=Execute
Traceback (most recent call last):
  File "/usr/bin/mraptor-3", line 11, in <module>
    load_entry_point('oletools==0.56', 'console_scripts', 'mraptor')()
  File "/usr/lib/python3.6/site-packages/oletools/mraptor.py", line 349, in main
    print('Exit code: %d - %s' % (exitcode, global_result.name))
AttributeError: 'NoneType' object has no attribute 'name'
$ 
$ sha256sum 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc 
2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812  2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc
$

Further on, olevba-3 has also issues to handle the file:

$ olevba-3 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc 
olevba 0.56 on Python 3.6.8 - http://decalage.info/python/oletools
===============================================================================
FILE: 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc
Type: OLE
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 4023, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3919, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3531, in analyze_macros
    self.vba_code_all_modules = self.get_vba_code_all_modules()
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3510, in get_vba_code_all_modules
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3494, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3477, in extract_macros
    if self.detect_vba_stomping():
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3859, in detect_vba_stomping
    assert(s[0]=='"' and s[-1]=='"')
AssertionError
ERROR    Error processing file 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc ()!
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 4023, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3919, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3531, in analyze_macros
    self.vba_code_all_modules = self.get_vba_code_all_modules()
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3510, in get_vba_code_all_modules
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3494, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3477, in extract_macros
    if self.detect_vba_stomping():
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 3859, in detect_vba_stomping
    assert(s[0]=='"' and s[-1]=='"')
AssertionError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 4361, in process_file
    no_xlm=options.no_xlm)
  File "/usr/lib/python3.6/site-packages/oletools/olevba.py", line 4109, in process_file
    raise ProcessingError(self.filename, exc)
oletools.olevba.ProcessingError: Error processing file 2d229a302ecfdb8e3424b4ea3447586e2e3084e17b5874ebb93a5d41286ed812.doc ()
$
robert-scheck commented 3 years ago

From what I figured out so far this got likely broken after commit aae7b4c4aad4d571b9c772817e450aa94b618c7e, but before commit 4f51278fda8d349d8b35d7f939986d14f554772a