-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Macro detection issues #837
Comments
Thanks a lot for reporting this. Indeed there is a confusion between VBA and XLM macros in the tools, as XLM detection was added later on, and not all the tools/modes handle it properly. |
Oh neat, I never realized mraptor wasn't supposed to be looking for XLM macros 😅 Even if the covereage isn't perfect, I still appreciate that it can detect some XLM things! |
Affected tool:
olevba and mraptor
Describe the bug
XLM macro detection incorrectly reports that no macros are found
File/Malware sample to reproduce the bug
test_xls.zip
password: infected
How To Reproduce the bug
olevba:
mraptor:
Expected behavior
Note the
M
in the output from olevba 0.56.2mraptor output:
Additional context
The olevba triage output is incorrect because of a missing boolean check around here
The missing check is:
This missing check might be present in other parts of the output logic, but I didn't check.
The mraptor bug is caused by the code here
It appears that macro logic was split into two functions - one for XLM and one for VBA. There was a wrapper function created to run both checks, but mraptor didn't get updated to call the new wrapper function:
The text was updated successfully, but these errors were encountered: