oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
the sample with hash 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578 (available on MalwareBazaar) is not parsed correctly by ftguess and oleid:
oleid prints a warning that some XML could not be parsed:
Actually this is because ppt/presentation.xml is an empty file. So this PPTM file is malformed.
oleid 0.60.1 - http://decalage.info/oletools
Filename: 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578.pptm
WARNING xml-parsing for ppt/presentation.xml failed (no element found: line 1, column 0). Run iter_non_xml to investigate.
ftguess does not identify the file format properly:
This is because the MIME type of the main part (ppt/presentation.xml) is "application/vnd.ms-powerpoint.addin.macroEnabled.main+xml", which is not yet supported by ftguess.
=> need to add PPAM, POTX and POTM.
ftguess 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
File : 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578.pptm
File Type : OpenXML file
Description: Generic OpenXML file
Application: MS Office
Container : OpenXML
Content-type(s) :
PUID : None
the sample with hash 061e17f3b2fd4a4dce1bf4f8a31198273f1abc47c32456d06fd5997ea4363578 (available on MalwareBazaar) is not parsed correctly by ftguess and oleid:
oleid prints a warning that some XML could not be parsed: Actually this is because ppt/presentation.xml is an empty file. So this PPTM file is malformed.
ftguess does not identify the file format properly: This is because the MIME type of the main part (ppt/presentation.xml) is "application/vnd.ms-powerpoint.addin.macroEnabled.main+xml", which is not yet supported by ftguess. => need to add PPAM, POTX and POTM.