Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XLS with suspect Macro #434

Closed
jm-edard opened this issue Apr 18, 2019 · 1 comment
Closed

XLS with suspect Macro #434

jm-edard opened this issue Apr 18, 2019 · 1 comment
Assignees
@decalage2
Labels
🐛 bug plugin_biff
Milestone
oletools 0.54

Comments

@jm-edard
Copy link

jm-edard commented Apr 18, 2019
edited by decalage2

This XLS has a suspect Marco detected like virus by 9 antivirus.
Olevba make an error and said only 1 suspicious information.

# olevba XL_14758_1804.xls
olevba 0.54 on Python 2.7.13 - http://decalage.info/python/oletools
===============================================================================
FILE: XL_14758_1804.xls
Type: OLE
ERROR    Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/oletools/olevba.py", line 3104, in detect_xlm_macros
    self.xlm_macros = biff_plugin.Analyze()
  File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1008, in Analyze
    strings += ' '.join(values[0])
TypeError: sequence item 0: expected string, bytearray found
-------------------------------------------------------------------------------
VBA MACRO ЭтаКнига.cls
in file: XL_14758_1804.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Axcelerrate()
Raba.FarFarAway 15, 1, True
End Sub
-------------------------------------------------------------------------------
VBA MACRO Лист3.cls
in file: XL_14758_1804.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

XL_14758_1804.zip
@decalage2 decalage2 self-assigned this Apr 19, 2019
@decalage2 decalage2 added this to the oletools 0.54 milestone Apr 19, 2019
@decalage2
Copy link
Owner

This has been fixed in the latest version, similar to #428.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug plugin_biff
Projects
None yet
Milestone
oletools 0.54
Development

No branches or pull requests
2 participants
@decalage2 @jm-edard