Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

incorrect last sector index in OLE stream (related to #27?) #29

Closed
decalage2 opened this issue Feb 17, 2016 · 3 comments
Closed

incorrect last sector index in OLE stream (related to #27?) #29

decalage2 opened this issue Feb 17, 2016 · 3 comments
Labels
bug major

Comments

@decalage2
Copy link
Owner

Originally reported by: Loic Jaquemet (Bitbucket: trolldbois, GitHub: trolldbois)

Hello,
probably in continuation of Issue #27, another piece of malware has find a way to cause issues due to OLE stream corruption.

When using oledump.py on the attached file, the OleFileIO lib raises an error.

Careful, it is a malicious word file. (Dridex)

olefile version: 0.43 - 2016-02-02 (double triple checked)

 python oledump.py SCAN7318_000.DOC

  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      6988 '1Table'
  5:       571 'Macros/PROJECT'
  6:       110 'Macros/PROJECTwm'
  7:        97 'Macros/SamboF/\x01CompObj'
  8:       289 'Macros/SamboF/\x03VBFrame'
  9:       402 'Macros/SamboF/f'
 10:       484 'Macros/SamboF/o'
 11: M   18318 'Macros/VBA/Module1'
Traceback (most recent call last):
  File "../oledump.py", line 1588, in <module>
    sys.exit(Main())
  File "../oledump.py", line 1585, in Main
    return OLEDump(args[0], options)
  File "../oledump.py", line 1472, in OLEDump
    returnCode = OLESub(ole, '', rules, options)
  File "../oledump.py", line 1266, in OLESub
    stream = ole.openstream(fname).read()
  File "/usr/local/lib/python2.7/dist-packages/olefile/olefile.py", line 1955, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/dist-packages/olefile/olefile.py", line 1858, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/dist-packages/olefile/olefile.py", line 817, in __init__
    raise IOError('incorrect last sector index in OLE stream')
IOError: incorrect last sector index in OLE stream
@decalage2
Copy link
Owner Author

Original comment by Loic Jaquemet (Bitbucket: trolldbois, GitHub: trolldbois):

The attachment password is "infected"

@decalage2
Copy link
Owner Author

Original comment by Loic Jaquemet (Bitbucket: trolldbois, GitHub: trolldbois):

Commenting out line 816 and 817 seems to allow the analysis to pursue.
This is clearly not a fix. But a temporary solution

@decalage2
Copy link
Owner Author

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

Fixed in commit d3da3071450e20371b3b84b5464448ea7d3cd26c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug major
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@decalage2