Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

olevba: error 'NoneType' object has no attribute 'splitlines' #629

Closed
decalage2 opened this issue Oct 8, 2020 · 2 comments
Closed

olevba: error 'NoneType' object has no attribute 'splitlines' #629

decalage2 opened this issue Oct 8, 2020 · 2 comments
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.56

Comments

@decalage2
Copy link
Owner

decalage2 commented Oct 8, 2020
edited
Loading

error triggered by olevba 0.56.1.dev1 on Win10 both with Python 3.8.3 or Python 2.7.14, with this sample:
https://labs.inquest.net/dfi/hash/2bfb95bc1e1ff7801796cfb8c1047feebfd8576b8496030cd559d5bac804c9bb
https://www.virustotal.com/gui/file/2bfb95bc1e1ff7801796cfb8c1047feebfd8576b8496030cd559d5bac804c9bb
From this tweet: https://mobile.twitter.com/JohnLaTwC/status/1312433855056416768

First we get this error:

ERROR    VBA code returned by extract_all_macros is not a string

Then this:

Traceback (most recent call last):
  File "\Users\u\dev\oletools\oletools\olevba.py", line 4032, in process_file
    vba_code_filtered = filter_vba(vba_code)
  File "\Users\u\dev\oletools\oletools\olevba.py", line 2136, in filter_vba
    vba_lines = vba_code.splitlines()
AttributeError: 'NoneType' object has no attribute 'splitlines'
ERROR    Error processing file 2bfb95bc1e1ff7801796cfb8c1047feebfd8576b8496030cd559d5bac804c9bb ('NoneType' object has no attribute 'splitlines')!

So somewhere a function returns None instead of a string for the VBA code.

Interestingly, if I scan it with olevba 0.55.2, I get a different error, and the analysis continues with an empty macro and just P-code:

ValueError: CompressedChunkSize != 4098 but CompressedChunkFlag == 0
@decalage2 decalage2 self-assigned this Oct 8, 2020
@decalage2 decalage2 added this to the oletools 0.56 milestone Oct 8, 2020
@decalage2
Copy link
Owner Author

Note that oledump 0.0.54 is also unable to decompress the VBA code.

@decalage2
Copy link
Owner Author

In fact the relaxed mode was too relaxed, because no exception was raised when a VBA_Module object was not completely initialised due to a malformed compressed stream. In that case the VBA_Module.code_str was set to None, triggering the exception above.
Now VBA_Module.init raises the exception, and olevba can try other methods to get code to analyse (e.g. P-code).

@benkittner benkittner mentioned this issue Nov 23, 2020
Closed
@decalage2 decalage2 mentioned this issue Mar 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.56
Development

No branches or pull requests
1 participant
@decalage2