oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

Olevba: Add switch parameter to choose either XLMMacroDeobfuscator or plugin_biff for XLM-macros analysis

Open antmaxi opened this issue 2 years ago • 1 comments

At the moment XLMMacroDeobfuscator can't process files like .slk (it's not supported file extension there)

However, if XLMMacroDeobfuscator is installed, it is automatically used for xlm-analysis in the current code, so one can't choose to use plugin_biff (one can only disable XLM-analysis fully with --no-xlm) https://github.com/decalage2/oletools/blob/dfbcabb957644769d17dfbb367eb3a52167c0506/oletools/olevba.py#L321

Because of that, either slk of xlsb+ files are not processed in any case, missing some possible malware

I suggest having command line parameter allowing to choose what to use for XML-processing explicitly

antmaxi avatar Feb 25 '22 13:02 antmaxi

OK, I need to rewrite the processing of XLM Macros, to fall back to plugin_biff/SLK parsing/XML parsing when XLMMacroDeobfuscator fails. And indeed, it could be useful to have a CLI parameter to control which parser is used.

decalage2 avatar Feb 26 '22 22:02 decalage2