Open tstallings opened 8 months ago
Thanks a lot for reporting this. Indeed there is a confusion between VBA and XLM macros in the tools, as XLM detection was added later on, and not all the tools/modes handle it properly. MRaptor is currently only meant for VBA macros. I'm not sure the current regexes would match all the necessary keywords for XLM macros. I need to make some tests to check if it could be easily updated to support XLM, or if not improve the output to make it clear that it's only for VBA.
Oh neat, I never realized mraptor wasn't supposed to be looking for XLM macros 😅 Even if the covereage isn't perfect, I still appreciate that it can detect some XLM things!
Affected tool: olevba and mraptor
Describe the bug XLM macro detection incorrectly reports that no macros are found
File/Malware sample to reproduce the bug test_xls.zip password: infected
How To Reproduce the bug olevba:
mraptor:
Expected behavior Note the
M
in the output from olevba 0.56.2mraptor output:
Additional context The olevba triage output is incorrect because of a missing boolean check around here The missing check is:
This missing check might be present in other parts of the output logic, but I didn't check.
The mraptor bug is caused by the code here It appears that macro logic was split into two functions - one for XLM and one for VBA. There was a wrapper function created to run both checks, but mraptor didn't get updated to call the new wrapper function: