Olevba not expecting optional ProjectCompatVersion record

[Beakerboy]

Affected tool:
olevba

Describe the bug
MS-OVBA defines an optional attribute in the Dir Stream called the ProjectCompatVersion record. If this record is present in the dir stream, I receive the following error:

Type: OLE
WARNING  invalid value for PROJECTLCID_Id expected 0002 
got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 040
9 got 0003
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected
 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0
003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected
 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 
got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in rang
e [1-128]: 131075
ERROR    Error in _extract_vba

How To Reproduce the bug
Version 0.0.10 of this file has the optional record, version 0.0.11 does not.

wget https://github.com/Beakerboy/VBA-CI-CD-Test/releases/download/0.0.10/Addin.xlam
mv Addin.xlam Addin.0.0.10.zip
unzip Addin.0.0.10.zip -d Addin.0.0.10
olevba -a Addin.0.0.10/xl/vbaProject.bin

Expected behavior
The file should parse fine with the presence of the optional record.

Version information:

• OS: Linux
• OS version: Debian 11
• Python version: 3.11.2
• oletools version: 0.60.1

[decalage2]

Hi, I think this issue should be fixed with PR #723, but I haven't had time to test it yet.

[Beakerboy]

@decalage2 Thanks! The 0.0.11 version of that Addin seems to pass the examination of olevba, but Excel complains that:

the file format or file extension is not valid.
Verify that the file has not been corrupted and that the file extension matches the format of the file.

let me know if you can think of any other places in the vbaProject.bin file that errors could be hiding.

[decalage2]

The error shown above is now fixed thanks to PR #723, so I close this issue.

However, there seems to be another XML parsing issue with your XLAM file: xml.etree.ElementTree.ParseError: XML declaration not well-formed: line 1, column 49

[Beakerboy]

Thanks for the update. What program is displaying that xml error? I’ve inspected the XML files and they all appear to start with:

<?xml version="1.0” encoding=“UTF-8” standalone=“yes”?>

So is there a problem with the “yes”? Does it indicate which XML file has the issue?

[decalage2]

I don't know what the actual problem is, but I get this error when parsing your latest releases of addin.xlam up to 0.0.14 with olevba. The error comes from the ElementTree XML parser, not from olevba itself.

[Beakerboy]

The header for olevba.py says the supported formats include Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb).

xlam is not listed, Do excel addins have a format that olevba cannot handle?

[decalage2]

AFAIK, XLAM is very similar to an Excel file with macros (XLSM), so normally olevba works fine. In your case, there seems to be a slight XML issue somewhere. Does your file work with Excel?

[Beakerboy]

No it does not, which is why I was investigating it with olevba and found the earlier error. I'll see if I can find out which line in olevba is raising the exception and add a try/except block to isolate the issue in my file.

[decalage2]

The issue is in the file _rels/.rels, there is standalone=true instead of yes