oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
Additional context
The bug seem to appear in the function P23Decode used in _extract_xlm_plugin_biff ( during the call of cBIFF.Analyze)
It doesn't manage to decode a part of the file, and return False to the feature contains_xlm_macros
In the file you can see defined functions like Auto_Open and Auto_Close (which cause to trigger the “Enable Macro” button).
There are multiple references to a hidden macro sheet named “00000ppy”:
Affected tool: oleid
Describe the bug OleID fail to detect XLM macros while openning the file manually clearly show it has
File/Malware sample to reproduce the bug 961a06016808892b0f7098974b4eda79afd949c85468bd2397b1c9c7659a2f81
How To Reproduce the bug
Expected behavior different output in the XLM macros indicator. contains_xlm_macros : "Yes"
Console output / Screenshots 'Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues'
Version information:
Additional context The bug seem to appear in the function P23Decode used in _extract_xlm_plugin_biff ( during the call of cBIFF.Analyze) It doesn't manage to decode a part of the file, and return False to the feature contains_xlm_macros In the file you can see defined functions like Auto_Open and Auto_Close (which cause to trigger the “Enable Macro” button). There are multiple references to a hidden macro sheet named “00000ppy”:
Thanks