oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

dir stream parsing is too strict

Open peterferrie opened this issue 7 months ago • 0 comments

Affected tool: olevba

Describe the bug sig_byte and chunk_signature compare exact byte-values. Office only checks individual bits, not the entire byte. For sig_byte, only bits 0-1 are checked, bits 2-7 are not checked. For chunk_signature, only bit 15 is checked, bits 12-24 are not checked.

File/Malware sample to reproduce the bug pw_clean.zip

How To Reproduce the bug olevba doc1.doc

Expected behavior dir stream should be parsed correctly, no error from _extract_vba

Console output / Screenshots If applicable, add screenshots to help explain your problem. Use the option "-l debug" to add debugging information, if possible.

Version information:

  • OS: Windows
  • OS version: 10.0.19045 - 64 bits
  • Python version: 3.8.5 - 64 bits
  • oletools version: 0.60.2

Additional context In the sample file, the sig_byte is changed from 01 to 05; chunk_signature is changed from B2 to 82. The file opens correctly in Word 2019.

peterferrie avatar Jul 11 '24 00:07 peterferrie