search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.89k stars 565 forks source link

An ERROR occurs in olevba when parsing a simple .xlsm. #808

Closed yuichi-github closed 8 months ago

yuichi-github commented 1 year ago

Affected tool: olevba

Describe the bug An ERROR occurs in olevba when parsing a simple .xlsm. Any support is highly appreciated.

Error Details ``` # olevba book1.xlsm olevba 0.60.1 on Python 3.10.6 - http://decalage.info/python/oletools =============================================================================== FILE: book1.xlsm Type: OpenXML WARNING invalid value for PROJECTLCID_Id expected 0002 got 004A WARNING invalid value for PROJECTLCID_Lcid expected 0409 got 0003 WARNING invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002 WARNING invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014 WARNING invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004 WARNING invalid value for PROJECTNAME_Id expected 0004 got 0000 ERROR PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075 ERROR Error in _extract_vba Traceback (most recent call last): File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 3526, in extract_macros for stream_path, vba_filename, vba_code in \ File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 2094, in _extract_vba project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed) File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 1752, in __init__ projectdocstring_id = struct.unpack("

File/Malware sample to reproduce the bug password: simple Book1.zip

How To Reproduce the bug Invoke the command below. olevba book1.xlsm

Expected behavior Parsing successfully.

Console output / Screenshots See the 'Describe the bug' section

Version information:

  • OS: Linux
  • OS version: Ubuntu 22.04 (Windows WSL 1.0.3.0-64 bits)
  • Python version: 3.10.6
  • oletools version: 0.60.1
  • Excel: Microsoft Excel for Microsoft 365 MSO (Version 2208 Build 16.0.15601.20446) 64 bits

Additional context

zin-htet-aung commented 1 year ago

I also get same error.


OS : "Kali GNU/Linux"
VERSION="2022.4"
olevba version : 0.60.1 ```

WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0002
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes
gjvdkamp commented 8 months ago

Hi, getting this error too, any idea how to get around this?

olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: 20231212 Trial Balance Pull.xlsm
Type: OpenXML
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0004
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO Main 
in file: xl/vbaProject.bin - OLE stream: 'Main'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Option Explicit

Sub buttonGetOrg()
'Button to get organisation list
decalage2 commented 8 months ago

Fixed by PR #723