Affected tool:
olevba
Describe the bug
malware with sha256 b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea (xls with VBA)
make olevba crash
with errors:
WARNING invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING invalid value for PROJECTLCID_Lcid expected 0409 got 0002
WARNING invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR Error in _extract_vba
Traceback (most recent call last):
File "C:\Users\Laurent\AppData\Local\Programs\Python\Python38\lib\site-packages\oletools\olevba.py", line 3544, in extract_macros
for stream_path, vba_filename, vba_code in
File "C:\Users\Laurent\AppData\Local\Programs\Python\Python38\lib\site-packages\oletools\olevba.py", line 2112, in _extract_vba
project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
File "C:\Users\Laurent\AppData\Local\Programs\Python\Python38\lib\site-packages\oletools\olevba.py", line 1770, in init
projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
File/Malware sample to reproduce the bug
https://bazaar.abuse.ch/sample/b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea/
How To Reproduce the bug
olevba virusfile
Expected behavior
analyse whole VBA code
only partial analysis
Console output / Screenshots
see above
Version information:
-
OS: Windows 10
-
OS version: 64 bits
-
Python version: Python 3.8.7 (tags/v3.8.7:6503f05, Dec 21 2020, 17:59:51) [MSC v.1928 64 bit (AMD64)] on win32
-
oletools version: git clone on 1dec2021
Affected tool:
olevba
Describe the bug
malware with sha256 b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea (xls with VBA)
make olevba crash
with errors:
WARNING invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING invalid value for PROJECTLCID_Lcid expected 0409 got 0002
WARNING invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR Error in _extract_vba
Traceback (most recent call last):
File "C:\Users\Laurent\AppData\Local\Programs\Python\Python38\lib\site-packages\oletools\olevba.py", line 3544, in extract_macros
for stream_path, vba_filename, vba_code in
File "C:\Users\Laurent\AppData\Local\Programs\Python\Python38\lib\site-packages\oletools\olevba.py", line 2112, in _extract_vba
project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
File "C:\Users\Laurent\AppData\Local\Programs\Python\Python38\lib\site-packages\oletools\olevba.py", line 1770, in init
projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
File/Malware sample to reproduce the bug
https://bazaar.abuse.ch/sample/b02be8a230c8c3c92b1535ad44fe2c4a05866195cb2b9243dd9b2d48d7cb35ea/
How To Reproduce the bug
olevba virusfile
Expected behavior
analyse whole VBA code
only partial analysis
Console output / Screenshots
see above
Version information:
OS: Windows 10
OS version: 64 bits
Python version: Python 3.8.7 (tags/v3.8.7:6503f05, Dec 21 2020, 17:59:51) [MSC v.1928 64 bit (AMD64)] on win32
oletools version: git clone on 1dec2021