An ERROR occurs in olevba when parsing a simple .xlsm. #808
Description
Affected tool:
olevba
Describe the bug
An ERROR occurs in olevba when parsing a simple .xlsm.
Any support is highly appreciated.
Error Details
# olevba book1.xlsm
olevba 0.60.1 on Python 3.10.6 - http://decalage.info/python/oletools
===============================================================================
FILE: book1.xlsm
Type: OpenXML
WARNING invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING invalid value for PROJECTLCID_Lcid expected 0409 got 0003
WARNING invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR Error in _extract_vba
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 3526, in extract_macros
for stream_path, vba_filename, vba_code in \
File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 2094, in _extract_vba
project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 1752, in __init__
projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
struct.error: unpack requires a buffer of 2 bytes
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook
in file: xl/vbaProject.bin - OLE stream: 'ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Workbook_Open()
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1
in file: xl/vbaProject.bin - OLE stream: 'Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |Workbook_Open |Runs when the Excel Workbook is opened |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
File/Malware sample to reproduce the bug
password: simple
Book1.zip
How To Reproduce the bug
Invoke the command below.
olevba book1.xlsm
Expected behavior
Parsing successfully.
Console output / Screenshots
See the 'Describe the bug' section
Version information:
- OS: Linux
- OS version: Ubuntu 22.04 (Windows WSL 1.0.3.0-64 bits)
- Python version: 3.10.6
- oletools version: 0.60.1
- Excel: Microsoft Excel for Microsoft 365 MSO (Version 2208 Build 16.0.15601.20446) 64 bits
Additional context