Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

olevba - should display an error instead of no vba detection - MHTML with malformed Base64 #35

Open
decalage2 opened this issue Feb 18, 2016 · 3 comments
Open

olevba - should display an error instead of no vba detection - MHTML with malformed Base64 #35

decalage2 opened this issue Feb 18, 2016 · 3 comments
Assignees
@decalage2
Labels
🐛 bug major olevba
Milestone
Future Releases

Comments

@decalage2
Copy link
Owner

Originally reported by: sbidy (Bitbucket: sbidy, GitHub: sbidy)

The olevba don't detects the attached file as a vba containing MS-Document.
But a short investigation shows some suspicious Hex-String.

I think the malfunction comes from the leading returns and and random chars.

I used the python packages oletools-0.42.1
@decalage2
Copy link
Owner Author

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

Hi @sbidy, could you please confirm if this malware sample actually runs macros in MS Word?

I studied the content in details, and it turns out that the Base64-encoded blob which contains macros is malformed: At the beginning there is "N0" twice (e.g."QWN0N0aXZl..."). If you remove one of the N0 strings (replacing "N0aXZ" by "axZ"), the Base64 blob becomes well formed and can be decoded by Python.

And then the file can be properly analyzed by olevba, and indeed there is a malicious macro in there.

So there are two possibilities:

  1. Either the malware author made a mistake when he/she edited the file to make it difficult to analyze, duplicating the "N0" string. This would be the most likely scenario if the file does not run macros when opened in MS Word.
  2. Or MS Word does not treat incorrect Base64 encoded files the same way as Python does, and we would need to find out how to fix the Base64 decoder.

Thank you.

@decalage2
Copy link
Owner Author

Original comment by sbidy (Bitbucket: sbidy, GitHub: sbidy):

Hey @decalage ,

ah you right with 1.. I tested it with a lab environment and WindWord 2013 to open the file.
Word can open the file but can't parse the macro in the document.

I think there is no risk form this types of documents but can the WinWord fix such malformed strings? Like a repair function?
In this special case Word don't recognize the macro code - but what is if the first chars are skip by the word parser in magic way?
Is there a defined behavior?

Thanks for the investigation and your very cool parser!

@decalage2
Copy link
Owner Author

Original comment by Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2):

Thanks for the test. I also ran the original file and my fixed version in the reverse.it sandbox, and it shows that the original file does nothing special, whereas the fixed one tries at least to connect to an Internet address. Interestingly, the original version triggers more alerts than the fixed one:

As for your question, I think there is little risk: this file is obviously malformed, and Word should not manage to decode the faulty base64. And I don't see how Word would find which duplicate characters to ignore (I had to guess it after many trials and errors).

I will keep the issue open, because olevba should display a parsing error instead of reporting "no macro".

@decalage2 decalage2 added this to the oletools 0.60 milestone Sep 3, 2016
@decalage2 decalage2 self-assigned this Sep 3, 2016
@LeMurphant LeMurphant mentioned this issue Jul 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug major olevba
Projects
None yet
Milestone
Future Releases
Development

No branches or pull requests
1 participant
@decalage2