Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An ERROR occurs in olevba when parsing a simple .xlsm. #808

Closed
yuichi-github opened this issue Feb 27, 2023 · 3 comments · Fixed by #723
Closed

An ERROR occurs in olevba when parsing a simple .xlsm. #808

yuichi-github opened this issue Feb 27, 2023 · 3 comments · Fixed by #723
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.60

Comments

@yuichi-github
Copy link

yuichi-github commented Feb 27, 2023
edited
Loading

Affected tool:
olevba

Describe the bug
An ERROR occurs in olevba when parsing a simple .xlsm.
Any support is highly appreciated.

Error Details 
# olevba book1.xlsm
olevba 0.60.1 on Python 3.10.6 - http://decalage.info/python/oletools
===============================================================================
FILE: book1.xlsm
Type: OpenXML
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0003
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
  File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
struct.error: unpack requires a buffer of 2 bytes
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook 
in file: xl/vbaProject.bin - OLE stream: 'ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Private Sub Workbook_Open()
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1 
in file: xl/vbaProject.bin - OLE stream: 'Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Workbook_Open       |Runs when the Excel Workbook is opened       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

File/Malware sample to reproduce the bug
password: simple
Book1.zip

How To Reproduce the bug
Invoke the command below.
olevba book1.xlsm

Expected behavior
Parsing successfully.

Console output / Screenshots
See the 'Describe the bug' section

Version information:

  • OS: Linux
  • OS version: Ubuntu 22.04 (Windows WSL 1.0.3.0-64 bits)
  • Python version: 3.10.6
  • oletools version: 0.60.1
  • Excel: Microsoft Excel for Microsoft 365 MSO (Version 2208 Build 16.0.15601.20446) 64 bits

Additional context
@yuichi-github yuichi-github changed the title An ERROR occurs in olevba when parsing a simple .xslm. An ERROR occurs in olevba when parsing a simple .xlsm. Feb 27, 2023
@zin-htet-aung
Copy link

I also get same error.

OS : "Kali GNU/Linux"
VERSION="2022.4"
olevba version : 0.60.1 ```

WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0002
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes

@decalage2 decalage2 self-assigned this Mar 5, 2023
@decalage2 decalage2 added this to the oletools 0.60 milestone Mar 5, 2023
@takeruko takeruko mentioned this issue Mar 14, 2023
Closed
@gjvdkamp
Copy link

gjvdkamp commented Jan 28, 2024
edited
Loading

Hi, getting this error too, any idea how to get around this?

olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: 20231212 Trial Balance Pull.xlsm
Type: OpenXML
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0004
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO Main 
in file: xl/vbaProject.bin - OLE stream: 'Main'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Option Explicit

Sub buttonGetOrg()
'Button to get organisation list

@gjvdkamp gjvdkamp mentioned this issue Jan 30, 2024
Merged
@decalage2
Copy link
Owner

Fixed by PR #723

@decalage2 decalage2 linked a pull request Jan 31, 2024 that will close this issue
olevba: add projectcompatversion record #723
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.60
Development

Successfully merging a pull request may close this issue.

olevba: add projectcompatversion record kijeong/oletools
4 participants
@gjvdkamp @decalage2 @yuichi-github @zin-htet-aung