oletools
oletools copied to clipboard
decalage2
Olevba sometimes extract macros of embedded files
Affected tool: Olevba
Describe the bug When I run Olevba on the "File.pptx" file (inside File.zip, password "infected"), the result output contains the analysis of the macros of the files that are inserted/embedded to the external pptx file.
When I run Olevba on the "FilePlayground.pptx" file (inside FilePlayground.zip, password "Password1"), the macros of the embedded files are ignored, and Olevba can't find any macros. When I extract the FilePlayground.pptx file, and run Olevba separately on the embedded Xlsm file, I can see the macros.
File/Malware sample to reproduce the bug File.zip - Malware sample, password "infected". FilePlayground.zip - Selfmade sample, password "Password1".
How To Reproduce the bug run "olevba" or "olevba -jc" on the files and watch the output.
Expected behavior Olevba will output nothing for both files, as they are PowerPointX, and not Pptm, and the external file contains no macros.
Console output / Screenshots
I'm not sure which of the behaviors is by design. What are the expected results? Olevba should analyze the inner files? Why is the behavior different between the attached files? Is there an option (like a flag) to ask Olevba to ignore the embedded files' Vba project?
