Macro detection issues

[tstallings]

Affected tool: olevba and mraptor

Describe the bug XLM macro detection incorrectly reports that no macros are found

File/Malware sample to reproduce the bug test_xls.zip password: infected

How To Reproduce the bug olevba:

olevba 0.60.1 on Python 3.10.12 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:-AS-HB-- tests/data/test.xls

(Flags: OpX=OpenXML, XML=Word2003XML, FlX=FlatOPC XML, MHT=MHTML, TXT=Text, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

mraptor:

MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File
----------+-----+----+--------------------------------------------------------
No Macro  |     |OLE:|tests/data/test.xls

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 0 - No Macro

root@fd43fff22f08:/opt/malware_analysis_tools# poetry run python -m pip show oletools
Name: oletools
Version: 0.60.1
Summary: Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR
Home-page: http://www.decalage.info/python/oletools
Author: Philippe Lagadec
Author-email: nospam@decalage.info
License: BSD
Location: /root/.cache/pypoetry/virtualenvs/malware-analysis-tools-J26q8sQT-py3.10/lib/python3.10/site-packages
Requires: colorclass, easygui, msoffcrypto-tool, olefile, pcodedmp, pyparsing
Required-by: malware-analysis-tools

Expected behavior Note the M in the output from olevba 0.56.2

olevba 0.56.2 on Python 3.10.12 - http://decalage.info/python/oletools
Flags        Filename
-----------  -----------------------------------------------------------------
OLE:MAS-HB-- tests/data/test.xls

(Flags: OpX=OpenXML, XML=Word2003XML, FlX=FlatOPC XML, MHT=MHTML, TXT=Text, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)

mraptor output:

MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File
----------+-----+----+--------------------------------------------------------
SUSPICIOUS|A-X  |OLE:|tests/data/test.xls

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS

Additional context The olevba triage output is incorrect because of a missing boolean check around here The missing check is:

if self.contains_xlm_macros: macros = 'M'

This missing check might be present in other parts of the output logic, but I didn't check.

The mraptor bug is caused by the code here It appears that macro logic was split into two functions - one for XLM and one for VBA. There was a wrapper function created to run both checks, but mraptor didn't get updated to call the new wrapper function:

if vba_parser.detect_macros():

[decalage2]

Thanks a lot for reporting this. Indeed there is a confusion between VBA and XLM macros in the tools, as XLM detection was added later on, and not all the tools/modes handle it properly. MRaptor is currently only meant for VBA macros. I'm not sure the current regexes would match all the necessary keywords for XLM macros. I need to make some tests to check if it could be easily updated to support XLM, or if not improve the output to make it clear that it's only for VBA.

[tstallings]

Oh neat, I never realized mraptor wasn't supposed to be looking for XLM macros 😅 Even if the covereage isn't perfect, I still appreciate that it can detect some XLM things!