decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.94k stars 564 forks source link

detect_vba_macros() false positives? #856

Open xme opened 6 months ago

xme commented 6 months ago

Affected tool: olevba

Describe the bug I'm using the olevba Python module to process files from multiple source. I'm using the following code to detect interesting files (with macros):

if vbaparser.detect_vba_macros():
   do_more_stuff()

Many files are detected as containing macros even if they don't contain valid OLE streams.

Is there another way to properly detect the presence of VBA macros?

decalage2 commented 6 months ago

Hi @xme, indeed the method detect_vba_macros only checks for the presence of specific storages (folders) in the structure of OLE files, or streams with specific bytes that are found in VBA projects. So it will return True if a file contains those storages or streams, even if the VBA project streams are corrupt. (this may happen when a document is "cleaned" by some antivirus, for example)

Maybe you can try get_vba_code_all_modules or extract_all_macros? It will attempt to parse and decompress all VBA modules. If there is some output and no error then there's a good chance that there is a valid VBA project in the file. But it looks like exceptions are caught, so not sure you will actually get errors... 🤔

xme commented 6 months ago

Tx! I'll investigate this way!