Test xlm samples

tests/ftguess/test_basic.py

@@ -22,7 +22,7 @@ def test_all(self):
             ftguess.FType_Word2007, ftguess.FType_Word2007_Macro,
             ftguess.FType_Word2007_Template,
             ftguess.FType_Word2007_Template_Macro, ftguess.FType_Excel97,
-            ftguess.FType_Excel2007,
+            ftguess.FType_Excel2007, ftguess.FType_Excel2007_XLSB,
             ftguess.FType_Excel2007_XLSX , ftguess.FType_Excel2007_XLSM ,
             ftguess.FType_Excel2007_Template,
             ftguess.FType_Excel2007_Template_Macro,
@@ -38,9 +38,6 @@ def test_all(self):
             for extension in ftype.extensions:
                 ftype_for_extension[extension] = ftype
 
-        # TODO: xlsb is not implemented yet
-        ftype_for_extension['xlsb'] = ftguess.FType_Generic_OpenXML
-
         for filename, file_contents in loop_over_files():
             # let the system guess
             guess = ftguess.ftype_guess(data=file_contents)
@@ -57,7 +54,7 @@ def test_all(self):
                           .format(filename))
             extension = extension[1:]      # remove the leading '.'
 
-            # encrypted files are mostly recognized (yet?), except .xls
+            # encrypted files are mostly not recognized (yet?), except .xls
             if filename.startswith('encrypted/'):
                 if extension == 'xls':
                     expect = ftguess.FType_Excel97
@@ -68,9 +65,18 @@ def test_all(self):
                 # not really an office file type
                 expect = ftguess.FType_Unknown
 
+            elif extension == 'slk':
+                # not implemented yet
+                expect = ftguess.FType_Unknown
+
             elif filename == 'basic/encrypted.docx':
                 expect = ftguess.FType_Generic_OLE
 
+            elif 'excel5' in filename:
+                # excel5 and excel97 have the same extensions, so we did not
+                # include excel5 in "used_types" above.
+                expect = ftguess.FType_Excel5
+
             else:
                 # other files behave nicely, so extension determines the type
                 expect = ftype_for_extension[extension]
@@ -94,9 +100,7 @@ def test_all(self):
             if expect not in (ftguess.FType_Generic_OLE, ftguess.FType_Unknown):
                 self.assertEqual(guess.is_excel(), extension.startswith('x')
                                                    and extension != 'xml'
-                                                   and extension != 'xlsb'
                                                    and extension != 'xps')
-                   # xlsb is excel but not handled properly yet
                 self.assertEqual(guess.is_word(), extension.startswith('d'))
                 self.assertEqual(guess.is_powerpoint(),
                                  extension.startswith('p'))

tests/olevba/test_basic.py

@@ -4,8 +4,9 @@
 
 import unittest
 import os
-from os.path import join
+from os.path import join, splitext
 import re
+import json
 
 # Directory with test data, independent of current working directory
 from tests.test_utils import DATA_BASE_DIR, call_and_capture
@@ -107,6 +108,48 @@ def test_crypt_return(self):
                 # without arg (test takes too long otherwise
                 ADD_ARGS = ([], )
 
+    def test_xlm(self):
+        """Test that xlm macros are found."""
+        XLM_DIR = join(DATA_BASE_DIR, 'excel4-macros')
+        ADD_ARGS = ['-j']
+
+        for filename in os.listdir(XLM_DIR):
+            full_name = join(XLM_DIR, filename)
+            suffix = splitext(filename)[1]
+            out_str, ret_code = call_and_capture('olevba',
+                                                 args=[full_name, ] + ADD_ARGS,
+                                                 accept_nonzero_exit=True)
+            output = json.loads(out_str)
+            self.assertEqual(len(output), 3)
+            self.assertEqual(output[0]['type'], 'MetaInformation')
+            self.assertEqual(output[0]['script_name'], 'olevba')
+            self.assertEqual(output[-1]['type'], 'MetaInformation')
+            self.assertEqual(output[-1]['n_processed'], 1)
+            self.assertEqual(output[-1]['return_code'], 0)
+            result = output[1]
+            self.assertTrue(result['json_conversion_successful'])
+            if suffix in ('.xlsb', '.xltm', '.xlsm'):
+                # TODO: cannot extract xlm macros for these types yet
+                self.assertEqual(result['macros'], [])
+            else:
+                code = result['macros'][0]['code']
+                if suffix == '.slk':
+                    self.assertIn('Excel 4 macros extracted', code)
+                else:
+                    self.assertIn('Excel 4.0 macro sheet', code)
+                self.assertIn('Auto_Open', code)
+                if 'excel5' not in filename:    # TODO: is not found in excel5
+                    self.assertIn('ALERT(', code)
+                self.assertIn('HALT()', code)
+
+                self.assertIn(len(result['analysis']), (2, 3))
+                types = [entry['type'] for entry in result['analysis']]
+                keywords = [entry['keyword'] for entry in result['analysis']]
+                self.assertIn('Auto_Open', keywords)
+                self.assertIn('XLM macro', keywords)
+                self.assertIn('AutoExec', types)
+                self.assertIn('Suspicious', types)
+
 
 # just in case somebody calls this file as a script
 if __name__ == '__main__':

tests/ooxml/test_basic.py

@@ -39,7 +39,7 @@ def test_rough_doctype(self):
 
         # files that are neither OLE nor xml:
         except_files = 'empty', 'text'
-        except_extns = 'rtf', 'csv', 'zip'
+        except_extns = 'rtf', 'csv', 'zip', 'slk'
 
         # analyse all files in data dir
         # TODO: use testdata_reader to extract real data from zip files

tests/test-data/excel4-macros/excel4_sample_macro.slk

@@ -0,0 +1,68 @@
+ID;PWXL;N;E
+P;PGeneral
+P;P0
+P;P0.00
+P;P#,##0
+P;P#,##0.00
+P;P#,##0;;\-#,##0
+P;P#,##0;;[Red]\-#,##0
+P;P#,##0.00;;\-#,##0.00
+P;P#,##0.00;;[Red]\-#,##0.00
+P;P#,##0\ "$";;\-#,##0\ "$"
+P;P#,##0\ "$";;[Red]\-#,##0\ "$"
+P;P#,##0.00\ "$";;\-#,##0.00\ "$"
+P;P#,##0.00\ "$";;[Red]\-#,##0.00\ "$"
+P;P0%
+P;P0.00%
+P;P0.00E+00
+P;P##0.0E+0
+P;P#" "?/?
+P;P#" "??/??
+P;Pdd/mm/yyyy
+P;Pdd\-mmm\-yy
+P;Pdd\-mmm
+P;Pmmm\-yy
+P;Ph:mm\ AM/PM
+P;Ph:mm:ss\ AM/PM
+P;Phh:mm
+P;Phh:mm:ss
+P;Pdd/mm/yyyy\ hh:mm
+P;Pmm:ss
+P;Pmm:ss.0
+P;P@
+P;P[h]:mm:ss
+P;P_-* #,##0\ "$"_-;;\-* #,##0\ "$"_-;;_-* "-"\ "$"_-;;_-@_-
+P;P_-* #,##0_-;;\-* #,##0_-;;_-* "-"_-;;_-@_-
+P;P_-* #,##0.00\ "$"_-;;\-* #,##0.00\ "$"_-;;_-* "-"??\ "$"_-;;_-@_-
+P;P_-* #,##0.00_-;;\-* #,##0.00_-;;_-* "-"??_-;;_-@_-
+P;FCalibri;M220;L9
+P;FCalibri;M220;L9
+P;FCalibri;M220;L9
+P;FCalibri;M220;L9
+P;ECalibri;M220;L9
+P;ECalibri Light;M360;L55
+P;ECalibri;M300;SB;L55
+P;ECalibri;M260;SB;L55
+P;ECalibri;M220;SB;L55
+P;ECalibri;M220;L18
+P;ECalibri;M220;L21
+P;ECalibri;M220;L61
+P;ECalibri;M220;L63
+P;ECalibri;M220;SB;L64
+P;ECalibri;M220;SB;L53
+P;ECalibri;M220;L53
+P;ECalibri;M220;SB;L10
+P;ECalibri;M220;L11
+P;ECalibri;M220;SI;L24
+P;ECalibri;M220;SB;L9
+P;ECalibri;M220;L10
+P;ESegoe UI;M200;L9
+F;P0;DG0G8;E;M292
+B;Y2;X1;D0 0 1 0
+O;L;E;D;V0;K47;G100 0.001
+F;W1 1 17
+F;W2 16384 9
+NN;NAuto_Open;ER1C1
+C;Y1;X1;KFALSE;EALERT("This is a sample Excel 4 macro")
+C;Y2;KTRUE;EHALT()
+E