XLS with suspect Macro #434
Description
This XLS has a suspect Marco detected like virus by 9 antivirus.
Olevba make an error and said only 1 suspicious information.
# olevba XL_14758_1804.xls
olevba 0.54 on Python 2.7.13 - http://decalage.info/python/oletools
===============================================================================
FILE: XL_14758_1804.xls
Type: OLE
ERROR Error when running oledump.plugin_biff, please report to https://github.com/decalage2/oletools/issues
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/oletools/olevba.py", line 3104, in detect_xlm_macros
self.xlm_macros = biff_plugin.Analyze()
File "/usr/local/lib/python2.7/dist-packages/oletools/thirdparty/oledump/plugin_biff.py", line 1008, in Analyze
strings += ' '.join(values[0])
TypeError: sequence item 0: expected string, bytearray found
-------------------------------------------------------------------------------
VBA MACRO ЭтаКнига.cls
in file: XL_14758_1804.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Axcelerrate()
Raba.FarFarAway 15, 1, True
End Sub
-------------------------------------------------------------------------------
VBA MACRO Лист3.cls
in file: XL_14758_1804.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+