Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UnexpectedDataError: Unexpected value in Macros/VBA/dir for variable PROJECTDOCSTRING_Id #593

Closed
LeMurphant opened this issue Jul 29, 2020 · 15 comments
Closed

UnexpectedDataError: Unexpected value in Macros/VBA/dir for variable PROJECTDOCSTRING_Id #593

LeMurphant opened this issue Jul 29, 2020 · 15 comments
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.56

Comments

@LeMurphant
Copy link

LeMurphant commented Jul 29, 2020
edited
Loading

Affected tool:
olevba

Describe the bug
UnexpectedDataError: Unexpected value in Macros/VBA/dir for variable PROJECTDOCSTRING_Id: expected 0005 but found 0051!

File/Malware sample to reproduce the bug

https://drive.google.com/file/d/1w3un-p-yPyqFYx30oInHVOo4su-kIJhr/view
password: oletools

How To Reproduce the bug

Run olevba 0.56dev6 on Python 3.8.2

Console output / Screenshots

olevba 0.56dev6 on Python 3.8.2 - http://decalage.info/python/oletools
===============================================================================
FILE: /home/ocoutu/Downloads/invoice_number.doc
Type: OLE
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "olevba.py", line 3327, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "olevba.py", line 2065, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed=False)
  File "olevba.py", line 1727, in __init__
    self.check_value('PROJECTDOCSTRING_Id', 0x0005, projectdocstring_id)
  File "olevba.py", line 1962, in check_value
    raise UnexpectedDataError(self.dir_path, name, expected, value)
UnexpectedDataError: Unexpected value in Macros/VBA/dir for variable PROJECTDOCSTRING_Id: expected 0005 but found 0051!
Traceback (most recent call last):
  File "olevba.py", line 3891, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "olevba.py", line 3787, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "olevba.py", line 3411, in analyze_macros
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "olevba.py", line 3390, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "olevba.py", line 3374, in extract_macros
    if self.detect_vba_stomping():
  File "olevba.py", line 3735, in detect_vba_stomping
    vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes
ERROR    Error processing file /home/ocoutu/Downloads/invoice_number.doc (can't concat str to bytes)!
Traceback (most recent call last):
  File "olevba.py", line 3891, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "olevba.py", line 3787, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "olevba.py", line 3411, in analyze_macros
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "olevba.py", line 3390, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "olevba.py", line 3374, in extract_macros
    if self.detect_vba_stomping():
  File "olevba.py", line 3735, in detect_vba_stomping
    vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "olevba.py", line 4187, in process_file
    vba_parser.process_file(show_decoded_strings=options.show_decoded_strings,
  File "olevba.py", line 3977, in process_file
    raise ProcessingError(self.filename, exc)
ProcessingError: Error processing file /home/ocoutu/Downloads/invoice_number.doc (can't concat str to bytes)
(venv)  ✘ ocoutu@P180  ~/Programs/oletools/oletools   master  
(venv)  ✘ ocoutu@P180  ~/Programs/oletools/oletools   master  python olevba.py -l debug ~/Downloads/invoice_number.doc
olevba 0.56dev6 on Python 3.8.2 - http://decalage.info/python/oletools
INFO     Opening OLE file /home/ocoutu/Downloads/invoice_number.doc
INFO     Check whether OLE file is PPT
DEBUG    using open OleFileIO
DEBUG    File appears not to be a ppt file (In stream "root" for field "listdir" found value "[['\x01CompObj'], ['\x05DocumentSummaryInformation'], ['\x05SummaryInformation'], ['1Table'], ['Data'], ['Macros', 'AXLBRmxlxpoxs', '\x01CompObj'], ['Macros', 'AXLBRmxlxpoxs', '\x03VBFrame'], ['Macros', 'AXLBRmxlxpoxs', 'f'], ['Macros', 'AXLBRmxlxpoxs', 'i05', '\x01CompObj'], ['Macros', 'AXLBRmxlxpoxs', 'i05', 'f'], ['Macros', 'AXLBRmxlxpoxs', 'i05', 'o'], ['Macros', 'AXLBRmxlxpoxs', 'i07', '\x01CompObj'], ['Macros', 'AXLBRmxlxpoxs', 'i07', 'f'], ['Macros', 'AXLBRmxlxpoxs', 'i07', 'o'], ['Macros', 'AXLBRmxlxpoxs', 'i09', '\x01CompObj'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'f'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i11', '\x01CompObj'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i11', 'f'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i11', 'o'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i12', '\x01CompObj'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i12', 'f'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i12', 'o'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'o'], ['Macros', 'AXLBRmxlxpoxs', 'i09', 'x'], ['Macros', 'AXLBRmxlxpoxs', 'o'], ['Macros', 'PROJECT'], ['Macros', 'PROJECTwm'], ['Macros', 'UserForm1', '\x01CompObj'], ['Macros', 'UserForm1', '\x03VBFrame'], ['Macros', 'UserForm1', 'f'], ['Macros', 'UserForm1', 'o'], ['Macros', 'VBA', 'APWSZcovlnbu'], ['Macros', 'VBA', 'AXLBRmxlxpoxs'], ['Macros', 'VBA', 'UserForm1'], ['Macros', 'VBA', '_VBA_PROJECT'], ['Macros', 'VBA', '__SRP_0'], ['Macros', 'VBA', '__SRP_1'], ['Macros', 'VBA', '__SRP_2'], ['Macros', 'VBA', '__SRP_3'], ['Macros', 'VBA', 'dir'], ['WordDocument']]" but expected len = 1!)
===============================================================================
FILE: /home/ocoutu/Downloads/invoice_number.doc
Type: OLE
DEBUG    VBA_Parser.find_vba_projects
DEBUG    Checking storage ['Macros']
DEBUG    Checking storage ['Macros', 'AXLBRmxlxpoxs']
DEBUG    Checking storage ['Macros', 'AXLBRmxlxpoxs', 'i05']
DEBUG    Checking storage ['Macros', 'AXLBRmxlxpoxs', 'i07']
DEBUG    Checking storage ['Macros', 'AXLBRmxlxpoxs', 'i09']
DEBUG    Checking storage ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i11']
DEBUG    Checking storage ['Macros', 'AXLBRmxlxpoxs', 'i09', 'i12']
DEBUG    Checking storage ['Macros', 'UserForm1']
DEBUG    Checking storage ['Macros', 'VBA']
DEBUG    Found VBA storage: Macros/VBA
DEBUG    Checking vba_root="Macros/"
DEBUG    Found PROJECT stream: Macros/PROJECT
DEBUG    Found VBA/_VBA_PROJECT stream: Macros/VBA/_VBA_PROJECT
DEBUG    Found VBA/dir stream: Macros/VBA/dir
DEBUG    VBA root storage: "Macros/"
DEBUG    Checking DirEntry #0
DEBUG    Checking DirEntry #1
DEBUG    Reading data from stream 'Data' - size: 101492 bytes
DEBUG    Read 101492 bytes
DEBUG    b't\x8c\x01\x00D\x00d\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4W\xf2+\xa0\x01\xa0\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x04\xf0\xb2\x00\x00\x00\xb2\x04\n\xf0\x08\x00\x00\x00\x01\x04\x00\x00\x00\n\x00\x00\x83\x00\x0b\xf0\x80\x00\x00\x00'...[much more data]...b'\x07\x97?\xe4K\xebg\xe0\xceX\xeb\xa7\xae\x7f\xf5\xe6\xfe\xc2\x7f\xd8O\xec9q\xafg\x7f\xf4\xb7\xb3\xbd\x93\xec\x8e\xe3\xfd\xc6.\x1c{\x8f\x8f~~\xad\xbc@\x0f\xff\xd9'
DEBUG    Checking DirEntry #2
DEBUG    Reading data from stream '1Table' - size: 7035 bytes
DEBUG    Read 7035 bytes
DEBUG    b'\x06\x06\x0f\x00\x12\x00\x01\x00s\x01\x0f\x00\x07\x00\x03\x00\x00\x00\x03\x00\x00\x00\x04\x00\x08\x00\x00\x00\x98\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x00\x9e\x00\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x006\x06\x00\x00'...[much more data]...b'\xdc\x00\x00\x00\x00\x00\x00\x00\xff\xff\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #3
DEBUG    Reading data from stream 'WordDocument' - size: 4096 bytes
DEBUG    Read 4096 bytes
DEBUG    b'\xec\xa5\xc1\x00[\xe0\t\x04\x00\x00\xf8\x12\xbf\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x08\x00\x00 \x08\x00\x00\x0e\x00bjbj\x12\x0b\x12\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\t\x04\x16\x00.\x0e\x00\x00pa!\\pa!\\ \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...[much more data]...b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #4
DEBUG    Reading data from stream '\x05SummaryInformation' - size: 420 bytes
DEBUG    Read 420 bytes
DEBUG    b"\xfe\xff\x00\x00\x06\x02\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xe0\x85\x9f\xf2\xf9Oh\x10\xab\x91\x08\x00+'\xb3\xd90\x00\x00\x00t\x01\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x90\x00\x00\x00\x02\x00\x00\x00d\x01\x00\x00\x03\x00\x00\x00\x98\x00\x00\x00\x04\x00\x00\x00L\x01\x00\x00\x05\x00\x00\x00\xa4\x00\x00\x00\x06\x00\x00\x00"...[much more data]...b'\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\r\x00\x00\x00Lucie Renard\x00\x00\x00\x00\x1e\x00\x00\x00\x06\x00\x00\x00Modi.\x00\x00\x00'
DEBUG    Checking DirEntry #5
DEBUG    Reading data from stream '\x05DocumentSummaryInformation' - size: 352 bytes
DEBUG    Read 352 bytes
DEBUG    b'\xfe\xff\x00\x00\x06\x02\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\xd5\xcd\xd5\x9c.\x1b\x10\x93\x97\x08\x00+,\xf9\xaeD\x00\x00\x00\x05\xd5\xcd\xd5\x9c.\x1b\x10\x93\x97\x08\x00+,\xf9\xae,\x01\x00\x00\xe8\x00\x00\x00\x0c\x00\x00\x00\x01\x00\x00\x00h\x00\x00\x00\x0f\x00\x00\x00p\x00\x00\x00\x05\x00\x00\x00|\x00\x00\x00'...[much more data]...b'\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x01\x00\x00\x00$\x00\x00\x00\x00\x00\x00\x80,\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\xb0\x04\x00\x00\x13\x00\x00\x00\t\x04\x00\x00'
DEBUG    Checking DirEntry #6
DEBUG    Checking DirEntry #7
DEBUG    Checking DirEntry #8
DEBUG    Reading data from stream 'APWSZcovlnbu' - size: 1330 bytes
DEBUG    Read 1330 bytes
DEBUG    b'\x01\x16\x01\x00\x06\x00\x01\x00\x00V\x03\x00\x00\xe4\x00\x00\x00\xea\x01\x00\x00\x84\x03\x00\x00\x92\x03\x00\x00>\x04\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\xab\xc0\xf4\x00\x00\xff\xff\xa3\x01\x00\x00\x88\x00\x00\x00\xb6\x00\xff\xff\x01\x01\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff<\x00\xff\xff\x00\x00\xc3\x04;\xed\x96.\xe6C\x93\xdd_\x8cD\x015\x7f\x8f'...[much more data]...b'ope\x08n()\x00cXLBR\x08mxl\x80>xs.N\x00MVSRxbbt\x00qnhvl\r\nE\x04nd\x81\x1c\r\n\r\n'
DEBUG    Found VBA compressed code
DEBUG    Checking DirEntry #9
DEBUG    Reading data from stream '__SRP_2' - size: 304 bytes
DEBUG    Read 304 bytes
DEBUG    b'rU\x80\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\t\x00\x00\x00\x00\x00\x00\x00\t\x00\x00\x00\x00\x00\x03\x000\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x01\x00\xa9\x07\x00\x00\x00\x00\x00\x00\xd1\x07\x00\x00\x00\x00\x00\x00\t\x08\x00\x00\x00\x00\x00\x00\t\x00\x00\x00\x01\x00\x02\x00\x81\x07'...[much more data]...b'\x00\x00\x04\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x13\x00\x004\x00X\x00\x00\x7f\x00\x00\x00\x00'
DEBUG    Checking DirEntry #10
DEBUG    Reading data from stream '__SRP_3' - size: 103 bytes
DEBUG    Read 103 bytes
DEBUG    b'rU\x80\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\t\x00\x00\x00\x00\x00\x02\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00@\x00\x00\x00\x04\x00$\x00\x01\x01\x00\x00\x00\x00\x02\x00\x00\x00\x04`\x00\x00\xec\x06\x1c\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x00\x00\x00\x00\x00n\x00\x00\x7f\x00\x00\x00\x00'
DEBUG    Checking DirEntry #11
DEBUG    Reading data from stream 'AXLBRmxlxpoxs' - size: 7616 bytes
DEBUG    Read 7616 bytes
DEBUG    b'\x01\x16\x01\x00\x01\xf0\x00\x00\x00\xb8\x06\x00\x00\xd4\x00\x00\x00L\x02\x00\x00\xff\xff\xff\xff\xbf\x06\x00\x00s\x15\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\xab\x97*\x00\x00\xff\xff\x01\x00\x00\x00\x88\x00\x00\x00\xb6\x00\xff\xff\x01\x01\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...[much more data]...b'EpkrIQy\xc0FlK", \x05$\x01\x14\x00KjpkmPly\x04B"\x00\x9eEnd F\x00unction\r\x00\n\r\n'
DEBUG    Found VBA compressed code
DEBUG    Checking DirEntry #12
DEBUG    Reading data from stream 'UserForm1' - size: 1168 bytes
DEBUG    Read 1168 bytes
DEBUG    b'\x01\x16\x01\x00\x01\xf0\x00\x00\x00H\x03\x00\x00\xd4\x00\x00\x00L\x02\x00\x00\xff\xff\xff\xffO\x03\x00\x00\xa3\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\xab_\x1c\x00\x00\xff\xff\x01\x00\x00\x00\x88\x00\x00\x00\xb6\x00\xff\xff\x01\x01\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...[much more data]...b'\x06DId\x00\xd4Tru\rBE`xpose\x01\x0e\x110T\x00emplateD\x10eriv\x96\x12Cus tomiz\x8bD'
DEBUG    Found VBA compressed code
DEBUG    Checking DirEntry #13
DEBUG    Reading data from stream '_VBA_PROJECT' - size: 11929 bytes
DEBUG    Read 11929 bytes
DEBUG    b'\xcca\xa3\x00\x00\x01\x00\xff\t\x04\x00\x00\t\x04\x00\x00\xe4\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x06\x00\x02\x00\xfe\x00*\x00\\\x00G\x00{\x000\x000\x000\x002\x000\x004\x00E\x00F\x00-\x000\x000\x000\x000\x00-\x000\x000\x000\x000\x00-\x00C\x000\x000\x000\x00-\x000\x000\x000\x000\x00'...[much more data]...b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00'
DEBUG    Checking DirEntry #14
DEBUG    Reading data from stream 'dir' - size: 895 bytes
DEBUG    Read 895 bytes
DEBUG    b'\x01{\xb3\x80\x01\x00\x04\x00\x00\x00\x01\x000*\x02\x02\x90\t\x00p\x14\x06H\x03\x00\x82\x02\x00d\xe4\x04\x04\x00\x07\x00\x1c\x00NormalaQQ\x00(\x00\x00@\x02\x14\x06\x02\x14=\xad\x02\n\x07\x02l\x01\x14\x08\x06\x12\t\x02\x12\x80A\x8d\x0ea\r\x00\x0c\x02J\x12<\x02\n\x16\x00\x01rstd\x10ole>\x02\x19s'...[much more data]...b'>("\x13\xe5\x13ax\xe16\xe1/1G\x14\x00\x12\x80\x03U\xa0\x10e\x00rm\x86]1\xc0\x0f\xca\x042\xd4\x04\xef\x10\xa9R\x03\xef\x10_\x1c\xef\x10\x10b\x12'
DEBUG    Checking DirEntry #15
DEBUG    Reading data from stream '__SRP_0' - size: 1586 bytes
DEBUG    Read 1586 bytes
DEBUG    b'\x93K*\xa3\x01\x00\x10\x00\x00\x00\xff\xff\x00\x00\x00\x00\x01\x00\x02\x00\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x05\x00\x01\x00\t\x00\x00\x00*\\CNormalrU\x80\x01\x00\x00\x80\x00\x00\x00\x80\x00\x00'...[much more data]...b'ent\x04\x00\x00\x02\r\x00\x00\x00Document_open\x03\x00\x00\r\x0c\x00\x0c\x00@\x00\x00\x00\x00\x00\x00\x00\x00\x00h\x00\x00\x7f\x00\x00\x00\x00'
DEBUG    Checking DirEntry #16
DEBUG    Reading data from stream '__SRP_1' - size: 110 bytes
DEBUG    Read 110 bytes
DEBUG    b'rU\x80\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x80\x00\x00\x00\x01\x00\x00~}\x00\x00\x7f\x00\x00\x00\x00\n\x00\x00\x00\t\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\t\x00\x00\x00\x00\x00\x03\x00\xff\xff\xff\xff\xff\xff\xff\xff\x03\x00\x00\t1\x03\x00\x00\x00\x00\x00\x001\x08\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x01\x00p\x00\x00\x7f\x00\x00\x00\x00'
DEBUG    Checking DirEntry #17
DEBUG    Checking DirEntry #18
DEBUG    Reading data from stream 'f' - size: 562 bytes
DEBUG    Read 562 bytes
DEBUG    b'\x00\x04 \x00\x08\x0c\x00\x0c\r\x00\x00\x00\x14\x00\x00\x00\x00}\x00\x00k\x1f\x00\x00\xc6\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n\x00\x00\x00\x04\x02\x00\x00\x00\x8a\x01\x00\x00\x00,\x00\xe5\x01\x00\x00\x10\x00\x00\x80\x01\x00\x00\x00H\x00\x00\x00\x00\x00\x19\x00MLOEAheomslajzsc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'...[much more data]...b'\x00\x00\x00\x00,\x00\xe5\x01\x00\x00\x0f\x00\x00\x80\r\x00\x00\x00L\x00\x00\x00\x08\x00\x19\x00TVRPLetmdthdoap\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #19
DEBUG    Reading data from stream 'o' - size: 456 bytes
DEBUG    Read 456 bytes
DEBUG    b'\x00\x02(\x00A\x01E\x80\x00\x00\x00\x00\x1bH\x80,\x03\x01\x02\x00\x0c\x00\x00\x80\xec\t\x00\x00{\x02\x00\x00ZPKVYkweqmit\x00\x02\x18\x005\x00\x00\x00\x06\x00\x00\x80\xa5\x00\x00\x00\x00\x02\x00\x00Tahoma\x00\x00\x00\x02,\x00A\x01E\x80\x00\x00\x00\x00\x1bH\x80,\x03\x01\x02\x00\r\x00\x00\x80\xec\t\x00\x00'...[much more data]...b'\x00\x00{\x02\x00\x00MCNIWfiwcgwqv\x00\x00\xff\x00\x02\x18\x005\x00\x00\x00\x06\x00\x00\x80\xa5\x00\x00\x00\x00\x02\x00\x00Tahoma\x00\x00'
DEBUG    Checking DirEntry #20
DEBUG    Checking DirEntry #21
DEBUG    Reading data from stream 'f' - size: 44 bytes
DEBUG    Read 44 bytes
DEBUG    b'\x00\x04 \x00@\x0c\x02\x08\x04\x80\x00\x00\x03\x00\x00\x00\x00}\x00\x00\xc4\x1d\x00\x00\xd8\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #22
DEBUG    Reading data from stream 'o' - size: 0 bytes
DEBUG    Read 0 bytes
DEBUG    b''
DEBUG    Checking DirEntry #23
DEBUG    Reading data from stream '\x01CompObj' - size: 112 bytes
DEBUG    Read 112 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff  \x18n`\xf4\xce\x11\x9b\xcd\x00\xaa\x00`\x8e\x01\x1a\x00\x00\x00Microsoft Forms 2.0 Frame\x00\x10\x00\x00\x00Embedded Object\x00\x0e\x00\x00\x00Forms.Frame.1\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #24
DEBUG    Checking DirEntry #25
DEBUG    Reading data from stream 'f' - size: 44 bytes
DEBUG    Read 44 bytes
DEBUG    b'\x00\x04 \x00@\x0c\x02\x08\x04\x80\x00\x00\x03\x00\x00\x00\x00}\x00\x00\xc4\x1d\x00\x00\xd8\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #26
DEBUG    Reading data from stream 'o' - size: 0 bytes
DEBUG    Read 0 bytes
DEBUG    b''
DEBUG    Checking DirEntry #27
DEBUG    Reading data from stream '\x01CompObj' - size: 112 bytes
DEBUG    Read 112 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff  \x18n`\xf4\xce\x11\x9b\xcd\x00\xaa\x00`\x8e\x01\x1a\x00\x00\x00Microsoft Forms 2.0 Frame\x00\x10\x00\x00\x00Embedded Object\x00\x0e\x00\x00\x00Forms.Frame.1\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #28
DEBUG    Checking DirEntry #29
DEBUG    Reading data from stream 'f' - size: 176 bytes
DEBUG    Read 176 bytes
DEBUG    b'\x00\x04$\x00H\x0c\x00\x0c\x0c\x00\x00\x00\x04\xc0\x00\x00\x04\x00\x00\x00\x00}\x00\x00\xd8\x13\x00\x00\xe2\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00p\x00\x00\x00\x00\x83\x01\x00\x00\x00\x18\x00\xe4\x01\x00\x00\n\x00\x00\x00\xe8=\x00\x00\x02\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\xd5\x01\x00\x00\x05\x00\x00\x80\x0b\x00\x00\x00#\x00\x04\x00\x00\x00\x07\x00Page1\x00\x00\x005\x00\x00\x00,\x02\x00\x00\x00\x00$\x00\xd5\x01\x00\x00\x05\x00\x00\x80\x0c\x00\x00\x00!\x00\x04\x00\x01\x00\x07\x00Page2a\x00\x005\x00\x00\x00,\x02\x00\x00\x00\x02\x0c\x00\x19\x00\x00\x00\xfc\x8f\x00\x00\xff\x01\x00\x00'
DEBUG    Checking DirEntry #30
DEBUG    Reading data from stream 'o' - size: 15848 bytes
DEBUG    Read 15848 bytes
DEBUG    b'\x00\x02\xc0=1\x80\xfa\x00\x00\x00\x00\x00\x18\x00\x00\x00\\=\x00\x00\x10\x00\x00\x00\x04\x00\x00\x00\x08\x00\x00\x00\x02\x00\x00\x00\x08\x00\x00\x00\xd8\x13\x00\x00\xe2\x0e\x00\x00\x05\x00\x00\x80Page1me.\x05\x00\x00\x80Page2me.\x00\x00\x00\x00Q=\x00\x80p99939nu7*9((()0hsbu'...[much more data]...b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x18\x005\x00\x00\x00\x06\x00\x00\x80\xa5\x00\x00\x00\x00\x02\x00\x00Tahoma\x87\x0f\x03\x00\x00\x00\x03\x00\x00\x00'
DEBUG    Checking DirEntry #31
DEBUG    Checking DirEntry #32
DEBUG    Checking DirEntry #33
DEBUG    Reading data from stream '\x01CompObj' - size: 115 bytes
DEBUG    Read 115 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xffp\x13\xe3Fz?\xce\x11\xbe\xd6\x00\xaa\x00a\x10\x80\x19\x00\x00\x00Microsoft Forms 2.0 Form\x00\x10\x00\x00\x00Embedded Object\x00\x12\x00\x00\x00Forms.MultiPage.1\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #34
DEBUG    Reading data from stream 'x' - size: 48 bytes
DEBUG    Read 48 bytes
DEBUG    b'\x00\x02\x04\x00\x00\x00\x00\x00\x00\x02\x04\x00\x00\x00\x00\x00\x00\x02\x04\x00\x00\x00\x00\x00\x00\x02\x0c\x00\x06\x00\x00\x00\x02\x00\x00\x00\n\x00\x00\x00\x0b\x00\x00\x00\x0c\x00\x00\x00'
DEBUG    Checking DirEntry #35
DEBUG    Reading data from stream 'f' - size: 40 bytes
DEBUG    Read 40 bytes
DEBUG    b'\x00\x04\x1c\x00@\x0c\x00\x08\x04\x80\x00\x00\x00}\x00\x00n\x13\x00\x00\x81\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #36
DEBUG    Reading data from stream 'o' - size: 0 bytes
DEBUG    Read 0 bytes
DEBUG    b''
DEBUG    Checking DirEntry #37
DEBUG    Reading data from stream '\x01CompObj' - size: 110 bytes
DEBUG    Read 110 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff\xf0i*\xc6\xdc\x16\xce\x11\x9e\x98\x00\xaa\x00WJO\x19\x00\x00\x00Microsoft Forms 2.0 Form\x00\x10\x00\x00\x00Embedded Object\x00\r\x00\x00\x00Forms.Form.1\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #38
DEBUG    Reading data from stream 'f' - size: 40 bytes
DEBUG    Read 40 bytes
DEBUG    b'\x00\x04\x1c\x00@\x0c\x00\x08\x04\x80\x00\x00\x00}\x00\x00n\x13\x00\x00\x81\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #39
DEBUG    Reading data from stream 'o' - size: 0 bytes
DEBUG    Read 0 bytes
DEBUG    b''
DEBUG    Checking DirEntry #40
DEBUG    Reading data from stream '\x01CompObj' - size: 110 bytes
DEBUG    Read 110 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff\xf0i*\xc6\xdc\x16\xce\x11\x9e\x98\x00\xaa\x00WJO\x19\x00\x00\x00Microsoft Forms 2.0 Form\x00\x10\x00\x00\x00Embedded Object\x00\r\x00\x00\x00Forms.Form.1\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #41
DEBUG    Reading data from stream '\x01CompObj' - size: 97 bytes
DEBUG    Read 97 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00\x00Microsoft Forms 2.0 Form\x00\x10\x00\x00\x00Embedded Object\x00\x00\x00\x00\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #42
DEBUG    Reading data from stream '\x03VBFrame' - size: 297 bytes
DEBUG    Read 297 bytes
DEBUG    b'VERSION 5.00\r\nBegin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} AXLBRmxlxpoxs \r\n   Caption         =   "U'...[much more data]...b" 1  'CenterOwner\r\n   TypeInfoVer     =   20\r\nEnd\r\n"
DEBUG    Checking DirEntry #43
DEBUG    Checking DirEntry #44
DEBUG    Reading data from stream 'f' - size: 38 bytes
DEBUG    Read 38 bytes
DEBUG    b'\x00\x04\x18\x00\x00\x0c\x00\x08\x00}\x00\x00k\x1f\x00\x00\xc6\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #45
DEBUG    Reading data from stream 'o' - size: 0 bytes
DEBUG    Read 0 bytes
DEBUG    b''
DEBUG    Checking DirEntry #46
DEBUG    Reading data from stream '\x01CompObj' - size: 97 bytes
DEBUG    Read 97 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00\x00Microsoft Forms 2.0 Form\x00\x10\x00\x00\x00Embedded Object\x00\x00\x00\x00\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #47
DEBUG    Reading data from stream '\x03VBFrame' - size: 266 bytes
DEBUG    Read 266 bytes
DEBUG    b'VERSION 5.00\r\nBegin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} UserForm1 \r\n   Caption         =   "UserF'...[much more data]...b"560\r\n   StartUpPosition =   1  'CenterOwner\r\nEnd\r\n"
DEBUG    Checking DirEntry #48
DEBUG    Reading data from stream 'PROJECTwm' - size: 113 bytes
DEBUG    Read 113 bytes
DEBUG    b'APWSZcovlnbu\x00A\x00P\x00W\x00S\x00Z\x00c\x00o\x00v\x00l\x00n\x00b\x00u\x00\x00\x00AXLBRmxlxpoxs\x00A\x00X\x00L\x00B\x00R\x00m\x00x\x00l\x00x\x00p\x00o\x00x\x00s\x00\x00\x00UserForm1\x00U\x00s\x00e\x00r\x00F\x00o\x00r\x00m\x001\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #49
DEBUG    Reading data from stream 'PROJECT' - size: 589 bytes
DEBUG    Read 589 bytes
DEBUG    b'ID="{74A5A0B6-7751-4428-B725-E2D9346FA881}"\r\nDocument=APWSZcovlnbu/&H00000000\r\nPackage={AC9F2F90-E87'...[much more data]...b'C\r\nUserForm1=0, 0, 0, 0, C, 52, 52, 1588, 805, C\r\n'
DEBUG    Checking DirEntry #50
DEBUG    Reading data from stream '\x01CompObj' - size: 114 bytes
DEBUG    Read 114 bytes
DEBUG    b'\x01\x00\xfe\xff\x03\n\x00\x00\xff\xff\xff\xff\x06\t\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00F \x00\x00\x00Microsoft Word 97-2003 Document\x00\n\x00\x00\x00MSWordDoc\x00\x10\x00\x00\x00Word.Document.8\x00\xf49\xb2q\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
DEBUG    Checking DirEntry #51
DEBUG    This DirEntry is an orphan or unused
DEBUG    extract_macros:
DEBUG    VBA_Parser.find_vba_projects
DEBUG    relaxed is False
DEBUG    Parsing the dir stream from 'Macros/VBA/dir'
DEBUG    chunk size = 894, compressed flag = 1
DEBUG    PROJECTSYSKIND_SysKind: 1 - 32-bit Windows
DEBUG    Project Code Page: 1252 - ANSI Latin 1; Western European (Windows)
DEBUG    Python codec corresponding to code page 1252: cp1252
DEBUG    Project name size: 7 bytes
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "olevba.py", line 3327, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "olevba.py", line 2065, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed=False)
  File "olevba.py", line 1727, in __init__
    self.check_value('PROJECTDOCSTRING_Id', 0x0005, projectdocstring_id)
  File "olevba.py", line 1962, in check_value
    raise UnexpectedDataError(self.dir_path, name, expected, value)
UnexpectedDataError: Unexpected value in Macros/VBA/dir for variable PROJECTDOCSTRING_Id: expected 0005 but found 0051!
DEBUG    Checking DirEntry #0
DEBUG    Checking DirEntry #1
DEBUG    Reading data from stream 'Data'
DEBUG    Checking DirEntry #2
DEBUG    Reading data from stream '1Table'
DEBUG    Checking DirEntry #3
DEBUG    Reading data from stream 'WordDocument'
DEBUG    Checking DirEntry #4
DEBUG    Reading data from stream '\x05SummaryInformation'
DEBUG    Checking DirEntry #5
DEBUG    Reading data from stream '\x05DocumentSummaryInformation'
DEBUG    Checking DirEntry #6
DEBUG    Checking DirEntry #7
DEBUG    Checking DirEntry #8
DEBUG    Reading data from stream 'APWSZcovlnbu'
DEBUG    Found VBA compressed code at index 444
DEBUG    chunk size = 237, compressed flag = 1
DEBUG    Checking DirEntry #9
DEBUG    Reading data from stream '__SRP_2'
DEBUG    Checking DirEntry #10
DEBUG    Reading data from stream '__SRP_3'
DEBUG    Checking DirEntry #11
DEBUG    Reading data from stream 'AXLBRmxlxpoxs'
DEBUG    Found VBA compressed code at index 1579
DEBUG    chunk size = 1991, compressed flag = 1
DEBUG    chunk size = 127, compressed flag = 1
DEBUG    Checking DirEntry #12
DEBUG    Reading data from stream 'UserForm1'
DEBUG    Found VBA compressed code at index 3A9
DEBUG    chunk size = 230, compressed flag = 1
DEBUG    Checking DirEntry #13
DEBUG    Reading data from stream '_VBA_PROJECT'
DEBUG    Checking DirEntry #14
DEBUG    Reading data from stream 'dir'
DEBUG    Checking DirEntry #15
DEBUG    Reading data from stream '__SRP_0'
DEBUG    Checking DirEntry #16
DEBUG    Reading data from stream '__SRP_1'
DEBUG    Checking DirEntry #17
DEBUG    Checking DirEntry #18
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #19
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #20
DEBUG    Checking DirEntry #21
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #22
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #23
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #24
DEBUG    Checking DirEntry #25
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #26
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #27
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #28
DEBUG    Checking DirEntry #29
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #30
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #31
DEBUG    Checking DirEntry #32
DEBUG    Checking DirEntry #33
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #34
DEBUG    Reading data from stream 'x'
DEBUG    Checking DirEntry #35
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #36
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #37
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #38
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #39
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #40
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #41
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #42
DEBUG    Reading data from stream '\x03VBFrame'
DEBUG    Checking DirEntry #43
DEBUG    Checking DirEntry #44
DEBUG    Reading data from stream 'f'
DEBUG    Checking DirEntry #45
DEBUG    Reading data from stream 'o'
DEBUG    Checking DirEntry #46
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #47
DEBUG    Reading data from stream '\x03VBFrame'
DEBUG    Checking DirEntry #48
DEBUG    Reading data from stream 'PROJECTwm'
DEBUG    Checking DirEntry #49
DEBUG    Reading data from stream 'PROJECT'
DEBUG    Checking DirEntry #50
DEBUG    Reading data from stream '\x01CompObj'
DEBUG    Checking DirEntry #51
DEBUG    detect_vba_stomping
DEBUG    Analysing the P-code to detect VBA stomping
DEBUG    Calling pcodedmp to extract and disassemble the VBA P-code
INFO     Exception when importing pcodedmp: No module named 'pcodedmp'
DEBUG    pcodedmp OK
DEBUG    Keywords extracted from P-code: []
INFO     Error processing file /home/ocoutu/Downloads/invoice_number.doc (can't concat str to bytes)
Traceback (most recent call last):
  File "olevba.py", line 3891, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "olevba.py", line 3787, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "olevba.py", line 3411, in analyze_macros
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "olevba.py", line 3390, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "olevba.py", line 3374, in extract_macros
    if self.detect_vba_stomping():
  File "olevba.py", line 3735, in detect_vba_stomping
    vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes
DEBUG    Traceback:
Traceback (most recent call last):
  File "olevba.py", line 3891, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "olevba.py", line 3787, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "olevba.py", line 3411, in analyze_macros
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "olevba.py", line 3390, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "olevba.py", line 3374, in extract_macros
    if self.detect_vba_stomping():
  File "olevba.py", line 3735, in detect_vba_stomping
    vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes
DEBUG    Checking for encryption (after exception)
DEBUG    is_encrypted
DEBUG    Checking for encryption using msoffcrypto
ERROR    Error processing file /home/ocoutu/Downloads/invoice_number.doc (can't concat str to bytes)!
Traceback (most recent call last):
  File "olevba.py", line 3891, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "olevba.py", line 3787, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "olevba.py", line 3411, in analyze_macros
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "olevba.py", line 3390, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "olevba.py", line 3374, in extract_macros
    if self.detect_vba_stomping():
  File "olevba.py", line 3735, in detect_vba_stomping
    vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "olevba.py", line 4187, in process_file
    vba_parser.process_file(show_decoded_strings=options.show_decoded_strings,
  File "olevba.py", line 3977, in process_file
    raise ProcessingError(self.filename, exc)
ProcessingError: Error processing file /home/ocoutu/Downloads/invoice_number.doc (can't concat str to bytes)
DEBUG    will exit now with code 6

Version information:

  • OS: Ubuntu 20.04 64 bits
  • Python version: 3.8.2
  • oletools version: 0.56dev6

Additional context
might be related to #477
@decalage2 decalage2 self-assigned this Jul 29, 2020
@decalage2 decalage2 added this to the oletools 0.56 milestone Jul 29, 2020
@albrechtd
Copy link

I see the same issue with several Malware files using the release version olevba 0.55 on Python 3.7.3.

@iwfratz
Copy link

iwfratz commented Aug 10, 2020

Your malware sample does not follow the specification. :-)
So it is not a problem of olevba, use instead the command line option --relaxed to ignore the error.

BUT, there is a issue with this command line option, see issue #596 "command line option --relaxed not working" (and PR #595 "fixed command line option --relaxed")

@martinvonwittich martinvonwittich mentioned this issue Aug 11, 2020
Closed
@decalage2
Copy link
Owner

A similar issue has been reported with recent Emotet samples:
https://twitter.com/James_inthe_box/status/1305530062909784065
https://app.any.run/tasks/30c42eb0-443c-4105-9a62-44e00da4cef3/
image

@ghanashyams
Copy link

Following is an issue with release version of 0.55 oletools for many malware samples.

File "olevba.py", line 3735, in detect_vba_stomping
vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes

Would be great if a patch fix can be organised on 0.55

@decalage2
Copy link
Owner

@ghanashyams this is a different issue, see #455. I'll try to fix both soon.

@gvdijnsen
Copy link

I can confirm that this is actively being abused by malware senders at an alarming rate now. I run a spam filtering business and I see thousands of these each day.

@ghanashyams
Copy link

ghanashyams commented Sep 15, 2020
edited
Loading

I made an workaround to avoid this issue and scan ok in my environment. As @gvdijnsen said, yes malware authors are really abusing this loophole.

decalage2 added a commit that referenced this issue Sep 15, 2020
@decalage2
olevba: enabled --relaxed by default, until a solution is found to is…
be57af2 
…sue #593
@decalage2
Copy link
Owner

I am looking for a fix for this issue, but it's not straightforward. In the meantime, I enabled the option "relaxed" by default, which prevents the issue from being triggered. So please use the latest dev version from github if possible.

c-rosenberg pushed a commit to HeinleinSupport/oletools that referenced this issue Sep 16, 2020
@decalage2 @c-rosenberg
olevba: enabled --relaxed by default, until a solution is found to is…
2108372 
…sue decalage2#593
@decalage2
Copy link
Owner

I finally found the bug and fixed it: see #455 (comment)

decalage2 added a commit that referenced this issue Sep 16, 2020
@decalage2
olevba: enabled relaxed mode by default (issues #477, #593), fixed de…
e7e7f97 
…tect_vba_macros to always return VBA code as unicode on Python 3 (issues #455, #477, #587, #593)
@ghanashyams
Copy link

@decalage2 Instead of decoding using codepage 1252, how about finding the encoding of vba_code_bytes using chardet package and then decoding using correct encoding. chardet has very probability of finding the encoding.

import chardet
result = chardet.detect(vba_code_bytes)
charenc = result['encoding']

@decalage2
Copy link
Owner

@ghanashyams I also thought about using chardet, but I'm hesitant to add yet another dependency, just for this corner case. I need to test it with several samples that trigger the bug and do not use code page 1252 (which is rare).

@ghanashyams
Copy link

ghanashyams commented Sep 19, 2020
edited
Loading

@decalage2 Pl. see following stack and if this can be fixed too, sample 0078fae36152dda270609a143aa492798288c232c43f9331dfea29251569cdfe is available in VT.
Same error even if I try with --relaxed cmdline option.

python olevba.py 0078fae36152dda270609a143aa492798288c232c43f9331dfea29251569cdfe
Traceback (most recent call last):
File "olevba.py", line 3907, in process_file
self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
File "olevba.py", line 3803, in run_analysis
self.analyze_macros(show_decoded_strings, deobfuscate)
File "olevba.py", line 3427, in analyze_macros
for (_, _, _, vba_code) in self.extract_all_macros():
File "olevba.py", line 3406, in extract_all_macros
for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
File "olevba.py", line 3390, in extract_macros
if self.detect_vba_stomping():
File "olevba.py", line 3751, in detect_vba_stomping
vba_code_all_modules += vba_code + '\n'
TypeError: unsupported operand type(s) for +: 'NoneType' and 'str'

@decalage2
Copy link
Owner

@ghanashyams if this error is triggered with the latest dev version from github, then it's a different bug. Please open a separate issue, and attach the sample in a zip with password (I do not have VT access). Thanks! 👍

@ghanashyams
Copy link

@decalage2 Yes error is triggered with latest dev version. I have created a separate issue, #619

c-rosenberg pushed a commit to HeinleinSupport/oletools that referenced this issue Sep 28, 2020
@decalage2 @c-rosenberg
olevba: enabled relaxed mode by default (issues decalage2#477, decala…
cf96444 
…ge2#593), fixed detect_vba_macros to always return VBA code as unicode on Python 3 (issues  decalage2#455, decalage2#477, decalage2#587, decalage2#593)
@decalage2
Copy link
Owner

This issue is now fixed in oletools 0.56.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.56
Development

No branches or pull requests
6 participants
@gvdijnsen @decalage2 @LeMurphant @iwfratz @albrechtd @ghanashyams