Originally reported by: Philippe Lagadec (Bitbucket: decalage, GitHub: decalage2)

Another sample, even more twisted than the previous ones referenced in issue #31:

https://malwr.com/analysis/ZDkzYzljZTJmZDViNDFjMzk5N2IwYThhODQyYjExYjg/

source: https://isc.sans.edu/diary/Obfuscated+MIME+Files/20643

Explanation: the malware sample contains an extra line at the end of the MIME headers, for the MIME part containing a MSO file encoded in base64, where VBA macros are stored. MS Office seems to ignore that header line, but Python's email package follows RFCs too strictly and considers the junk line as part of the data rather than headers. Therefore, the base64 decoding of the data fails, and olevba cannot decode the macros.

There is no simple workaround, this issue requires a modified version of the email package.

• Bitbucket: https://bitbucket.org/decalage/oletools/issue/32