Skip to content

olevba exception when PROJECTLCIDINVOKE is not en-us #477

New issue
New issue
Closed
Closed
olevba exception when PROJECTLCIDINVOKE is not en-us#477
Assignees
decalage2
Labels
🐛 bugolevba
Milestone
oletools 0.56
@gnugnug

Description

@gnugnug
gnugnug
opened on Aug 5, 2019

Affected tool:
olevba

Describe the bug
While trying to scan an Excel file with macros, olevba dies with the error message:
"_oletools.olevba.UnexpectedDataError: Unexpected value in VBA_PROJECT_CUR/VBA/dir for variable PROJECTLCIDINVOKE_LcidInvoke: expected 0409 but found 0C07!"

Stack trace:
$ olevba macrotest/Zutaten.xls
olevba 0.54.2 on Python 3.6.8 - http://decalage.info/python/oletools
===============================================================================
FILE: macrotest/Zutaten.xls
Type: OLE
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 3162, in extract_macros
    dir_path, self.relaxed):
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 2022, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed=False)
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 1653, in __init__
    self.check_value('PROJECTLCIDINVOKE_LcidInvoke', 0x409, self.lcidinvoke)
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 1919, in check_value
    raise UnexpectedDataError(self.dir_path, name, expected, value)
oletools.olevba.UnexpectedDataError: Unexpected value in _VBA_PROJECT_CUR/VBA/dir for variable PROJECTLCIDINVOKE_LcidInvoke: expected 0409 but found 0C07!
ERROR    Error processing file macrotest/Zutaten.xls (can't concat str to bytes)!
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 3549, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 3450, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "/usr/local/lib/python3.6/site-packages/oletools/olevba.py", line 3237, in analyze_macros
    self.vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes

The primary reason for the error is clear: olevba checks if the LCID is EN-US, and the macros in my excel file are using DE-AT.
But when I comment out the line "self.check_value('PROJECTLCIDINVOKE_LcidInvoke', 0x409, self.lcidinvoke)" from olevba.py, the file is analyzed without problems:

$ python3 olevba.py -a macrotest/Zutaten.xls
olevba 0.54.2 on Python 3.6.8 - http://decalage.info/python/oletools
===============================================================================
FILE: macrotest/Zutaten.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO UserForm1.frm
in file: macrotest/Zutaten.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/UserForm1'
-------------------------------------------------------------------------------
VBA MACRO Modul5.bas
in file: macrotest/Zutaten.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Modul5'
-------------------------------------------------------------------------------
VBA MACRO DieseArbeitsmappe.cls
in file: macrotest/Zutaten.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/DieseArbeitsmappe'
-------------------------------------------------------------------------------
VBA MACRO Tabelle12.cls
in file: macrotest/Zutaten.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Tabelle12'
-------------------------------------------------------------------------------
VBA MACRO Modul4.bas
in file: macrotest/Zutaten.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Modul4'
-------------------------------------------------------------------------------
VBA MACRO xlm_macro.txt
in file: xlm_macro - OLE stream: 'xlm_macro'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

So I'm not sure if this check is a bit too harsh. It seems trivial to circumvent olevba by changing the language ID to anything but en-us.
Do you know the reasoning behind this check? As far as I can see it was already added in officeparser in this commit unixfreak0037/officeparser@4c7f642 but unfortunately without an explanation.

Metadata

Metadata

Assignees

Labels

🐛 bugolevba

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions