oletools
oletools copied to clipboard
olevba: Excel Macros (.xls & .xlsm) falsely flag as containing Hex Strings & Suspicious Keywords
Affected tool: olevba
Describe the bug olevba flags excel macro-enabled documents (.xls & .xlsm) as containing suspicious hex strings and suspicious keywords on any document scanned - using olevba 0.55.dev3 or 0.54.2 on Python 3.7.4
How To Reproduce the bug
-
Create an excel macro with nothing other than the below function: Private Sub Workbook_Open() MsgBox "This is fun" End Sub
-
Run olevba '--decode' shows the Hex Strings being flagged, '--triage' shows Hex Strings and Suspicious Keywords being flagged olevba
--decode olevba --triage
Console output / Screenshots
Version information:
- OS: Windows 10
- OS version: v1903 (OS Build 18362.418)
- Python version: 3.7.4 - 64 bits
- oletools version: olevba 0.55.dev3 or 0.54.2