Section Sizes Larger Than File Size

Describe the bug

I am trying to identify the regions of PE malware that correspond to the the .text section, i.e., I want the beginning and end offsets of the .text section. However, after getting the size of the .text section, it would appear that the size of the section is actually larger than the size of the binary. This may not be a bug and could be a simple misunderstanding on my part.

I encounter the exact same issue with a different library, LIEF, and have already posted an issue there: https://github.com/lief-project/LIEF/issues/817. I'm starting to suspect that the adversary has obfuscated the file in such a way that make sit challenging for these tools to interpret, but would appreciate input from someone more experienced with PE files than I. Thank you for any help you can provide!

To Reproduce

The executable file I am using is a disarmed piece of malware collected by the SOREL research group. Even though the file has been disarmed, I am hesitant to share it right away since there is a solid chance that someone more experienced with this can diagnose the issue without the file. Let me know if this is not the case and I can provide a google drive link for the file.

import pefile
path = "001856267679fb6001cd00f230043326e1b9fc210874dd4c839761d51f4e9a73"
pe = pefile.PE(path)
for section in pe.sections:
    if ".text" in section.Name.decode("utf-8"):
        size_of_text_section = section.SizeOfRawData
size_of_binary = len(open(path, "rb").read())
print(f".text section size: {size_of_text_section}, binary size: {size_of_binary}")
# Prints ".text section size: 65536, binary size: 22747"

Expected behavior

I would expect the .text section's size to be smaller than the size of the file.

Environment (please complete the following information):

System and Version : Ubuntu 20.04.5
PEfile version: 2022.5.30

erocarrera / pefile

Section Sizes Larger Than File Size #358