oletools olevba: Excel Macros (.xls & .xlsm) falsely flag as containing Hex Strings & Suspicious Keywords

olevba: Excel Macros (.xls & .xlsm) falsely flag as containing Hex Strings & Suspicious Keywords

Open CanIPhish opened this issue 4 years ago • 4 comments

Affected tool: olevba

Describe the bug olevba flags excel macro-enabled documents (.xls & .xlsm) as containing suspicious hex strings and suspicious keywords on any document scanned - using olevba 0.55.dev3 or 0.54.2 on Python 3.7.4

How To Reproduce the bug

Create an excel macro with nothing other than the below function: Private Sub Workbook_Open() MsgBox "This is fun" End Sub
Run olevba '--decode' shows the Hex Strings being flagged, '--triage' shows Hex Strings and Suspicious Keywords being flagged olevba --decode olevba --triage

Console output / Screenshots

Version information:

OS: Windows 10
OS version: v1903 (OS Build 18362.418)
Python version: 3.7.4 - 64 bits
oletools version: olevba 0.55.dev3 or 0.54.2

Nov 06 '19 11:11 CanIPhish

oletools oletools copied to clipboard

olevba: Excel Macros (.xls & .xlsm) falsely flag as containing Hex Strings & Suspicious Keywords

oletools
oletools copied to clipboard