Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] OpenXML files detected as zip but ignored by Oletools. #475

githule opened this issue Apr 24, 2019 · 1 comment


None yet
2 participants
Copy link

commented Apr 24, 2019

Describe the bug
OpenXML files are detected (logically) as zip but ignored by Oletools because of filetype equals ZIP.

To Reproduce
Parse MS Office openxml file via the fileinfo analyzer v5 (same issue in v4).

Expected behavior
MS Office OpenXML files should be parsed.

Complementary information
My investigations lead to this line of code in
in the __init__ method
self.filetype = pyexifinfo.fileType(self.filepath)
in the run method :
for module in available_submodules: if module.check_file(file=self.filepath, filetype=self.filetype, filename=self.filename, mimetype=self.mimetype): module_results = module.analyze_file(self.filepath) module_summaries = module.module_summary() results.append({ 'submodule_name':, 'results': module_results, 'summary': module_summaries })

and in /submodules/ that doesn't include "ZIP"

def check_file(self, **kwargs): try: if kwargs.get('filetype') in [ 'DOC', 'DOCM', 'DOCX', 'XLS', 'XLSM', 'XLSX', 'PPT', 'PPTM', 'PPTX' ]: return True
As a temporary workaround on my setup, I added :
elif kwargs.get('mimetype').startswith("application/vnd.openxmlformats-officedocument") : return True

Work environment

  • Cortex version: 2.1.2 (Docker Image)

Possible cause

  • Issue with some versions of pyexifinfo delivred or libraries embeded in the docker image

Possible solution

  • Add magic/mime type criteria to the condition in the check_file method

@githule githule added the bug label Apr 24, 2019

@jeromeleonard jeromeleonard added this to the 2.1.0 milestone May 10, 2019

@jeromeleonard jeromeleonard self-assigned this May 10, 2019


This comment has been minimized.

Copy link

commented May 10, 2019

@githule thx for reporting the issue and the solution.

jeromeleonard added a commit that referenced this issue May 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.