-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
olevba - should display an error instead of no vba detection - MHTML with malformed Base64 #35
Comments
Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2): Hi @sbidy, could you please confirm if this malware sample actually runs macros in MS Word? I studied the content in details, and it turns out that the Base64-encoded blob which contains macros is malformed: At the beginning there is "N0" twice (e.g."QWN0N0aXZl..."). If you remove one of the N0 strings (replacing "N0aXZ" by "axZ"), the Base64 blob becomes well formed and can be decoded by Python. And then the file can be properly analyzed by olevba, and indeed there is a malicious macro in there. So there are two possibilities:
Thank you. |
Original comment by sbidy (Bitbucket: sbidy, GitHub: sbidy): Hey @decalage , ah you right with 1.. I tested it with a lab environment and WindWord 2013 to open the file. I think there is no risk form this types of documents but can the WinWord fix such malformed strings? Like a repair function? Thanks for the investigation and your very cool parser! |
Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2): Thanks for the test. I also ran the original file and my fixed version in the reverse.it sandbox, and it shows that the original file does nothing special, whereas the fixed one tries at least to connect to an Internet address. Interestingly, the original version triggers more alerts than the fixed one:
As for your question, I think there is little risk: this file is obviously malformed, and Word should not manage to decode the faulty base64. And I don't see how Word would find which duplicate characters to ignore (I had to guess it after many trials and errors). I will keep the issue open, because olevba should display a parsing error instead of reporting "no macro". |
Originally reported by: sbidy (Bitbucket: sbidy, GitHub: sbidy)
The olevba don't detects the attached file as a vba containing MS-Document.
But a short investigation shows some suspicious Hex-String.
I think the malfunction comes from the leading returns and and random chars.
I used the python packages oletools-0.42.1
The text was updated successfully, but these errors were encountered: