[Bug] OpenXML files detected as zip but ignored by Oletools.

[githule]

Describe the bug
OpenXML files are detected (logically) as zip but ignored by Oletools because of filetype equals ZIP.

To Reproduce
Parse MS Office openxml file via the fileinfo analyzer v5 (same issue in v4).

Expected behavior
MS Office OpenXML files should be parsed.

Complementary information
My investigations lead to this line of code in fileinfo_analyzer.py
in the __init__ method
self.filetype = pyexifinfo.fileType(self.filepath)
in the run method :
for module in available_submodules: if module.check_file(file=self.filepath, filetype=self.filetype, filename=self.filename, mimetype=self.mimetype): module_results = module.analyze_file(self.filepath) module_summaries = module.module_summary() results.append({ 'submodule_name': module.name, 'results': module_results, 'summary': module_summaries })

and in /submodules/submodule_oletools.py that doesn't include "ZIP"

def check_file(self, **kwargs): try: if kwargs.get('filetype') in [ 'DOC', 'DOCM', 'DOCX', 'XLS', 'XLSM', 'XLSX', 'PPT', 'PPTM', 'PPTX' ]: return True
As a temporary workaround on my setup, I added :
elif kwargs.get('mimetype').startswith("application/vnd.openxmlformats-officedocument") : return True

Work environment

• Cortex version: 2.1.2 (Docker Image)

Possible cause

• Issue with some versions of pyexifinfo delivred or libraries embeded in the docker image

Possible solution

• Add magic/mime type criteria to the condition in the check_file method

[jeromeleonard]

@githule thx for reporting the issue and the solution.