oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

XLSB file with XLM macro not detected

Open Yodakasi opened this issue 3 years ago • 2 comments

Affected tool: olevba

Describe the bug xlsb file with macro is not detected

File/Malware sample to reproduce the bug https://app.any.run/tasks/27c6c716-0af3-40b7-b458-06108fe4bfbe 6f1d133d9753818c8c455e1dbf27755e fv_8.xlsb

How To Reproduce the bug olevba3 -l debug fv_8.xlsb

Expected behavior The macro in that xlsb should be detected.

Console output / Screenshots image

Version information:

  • OS: Linux
  • OS version: 64 bits
  • Python version: 3.8.5 - 64 bits
  • oletools version: 0.56

Additional context Also not detected when using oletools with python2 image

Yodakasi avatar Oct 29 '20 10:10 Yodakasi

From the screenshots it looks like an Excel 4 (XLM) macro, not VBA. For now olevba can detect VBA macros in XLSB, but not XLM.

decalage2 avatar Oct 29 '20 21:10 decalage2

Similar experience with this sample:

ale@pcale:~/tmp$ olevba3 -l debug 129948368968.xlsb 
olevba 0.60 on Python 3.9.2 - http://decalage.info/python/oletools
DEBUG    ftguess: file type=OpenXML file - container=OpenXML
INFO     Opening ZIP/OpenXML file 129948368968.xlsb
DEBUG    OpenXML subfile [Content_Types].xml
DEBUG    OpenXML subfile _rels/.rels
DEBUG    OpenXML subfile xl/_rels/workbook.bin.rels
DEBUG    OpenXML subfile xl/workbook.bin
DEBUG    OpenXML subfile xl/drawings/_rels/drawing1.xml.rels
DEBUG    OpenXML subfile xl/media/image2.png
DEBUG    OpenXML subfile xl/worksheets/sheet1.bin
DEBUG    OpenXML subfile xl/macrosheets/_rels/sheet1.bin.rels
DEBUG    OpenXML subfile xl/worksheets/_rels/sheet1.bin.rels
DEBUG    OpenXML subfile xl/worksheets/_rels/sheet2.bin.rels
DEBUG    OpenXML subfile xl/macrosheets/sheet1.bin
DEBUG    OpenXML subfile xl/media/image1.png
DEBUG    OpenXML subfile xl/worksheets/sheet2.bin
DEBUG    OpenXML subfile xl/drawings/drawing1.xml
DEBUG    OpenXML subfile xl/theme/theme1.xml
DEBUG    OpenXML subfile xl/styles.bin
DEBUG    OpenXML subfile xl/worksheets/binaryIndex2.bin
DEBUG    OpenXML subfile xl/printerSettings/printerSettings1.bin
DEBUG    OpenXML subfile xl/worksheets/binaryIndex1.bin
DEBUG    OpenXML subfile xl/macrosheets/binaryIndex1.bin
DEBUG    OpenXML subfile docProps/core.xml
DEBUG    OpenXML subfile docProps/app.xml
DEBUG    OpenXML subfile docProps/custom.xml
===============================================================================
FILE: 129948368968.xlsb
Type: OpenXML
DEBUG    detect vba macros
DEBUG    detect xlm macros
No VBA or XLM macros found.

DEBUG    Checking for encryption (normal)
DEBUG    is_encrypted
DEBUG    Checking for encryption using msoffcrypto
DEBUG    no encryption detected
DEBUG    will exit now with code 0

The sheet1.bin macro contains an http address and a local file name, but I'm unable to decode it.

alevesely avatar Nov 22 '21 19:11 alevesely