Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

An ERROR occurs in olevba when parsing a simple .xlsm. #808

Closed
yuichi-github opened this issue Feb 27, 2023 · 3 comments · Fixed by #723
Closed

An ERROR occurs in olevba when parsing a simple .xlsm. #808

yuichi-github opened this issue Feb 27, 2023 · 3 comments · Fixed by #723
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.60

Comments

@yuichi-github
Copy link

yuichi-github commented Feb 27, 2023
edited
Loading

Affected tool:
olevba

Describe the bug
An ERROR occurs in olevba when parsing a simple .xlsm.
Any support is highly appreciated.

Error Details 
# olevba book1.xlsm
olevba 0.60.1 on Python 3.10.6 - http://decalage.info/python/oletools
===============================================================================
FILE: book1.xlsm
Type: OpenXML
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0003
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
  File "/usr/local/lib/python3.10/dist-packages/oletools/olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
struct.error: unpack requires a buffer of 2 bytes
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook 
in file: xl/vbaProject.bin - OLE stream: 'ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Private Sub Workbook_Open()
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1 
in file: xl/vbaProject.bin - OLE stream: 'Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Workbook_Open       |Runs when the Excel Workbook is opened       |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

File/Malware sample to reproduce the bug
password: simple
Book1.zip

How To Reproduce the bug
Invoke the command below.
olevba book1.xlsm

Expected behavior
Parsing successfully.

Console output / Screenshots
See the 'Describe the bug' section

Version information:

  • OS: Linux
  • OS version: Ubuntu 22.04 (Windows WSL 1.0.3.0-64 bits)
  • Python version: 3.10.6
  • oletools version: 0.60.1
  • Excel: Microsoft Excel for Microsoft 365 MSO (Version 2208 Build 16.0.15601.20446) 64 bits

Additional context
@yuichi-github yuichi-github changed the title An ERROR occurs in olevba when parsing a simple .xslm. An ERROR occurs in olevba when parsing a simple .xlsm. Feb 27, 2023
@zin-htet-aung
Copy link

I also get same error.

OS : "Kali GNU/Linux"
VERSION="2022.4"
olevba version : 0.60.1 ```

WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0002
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Downloads/tools/oletools/venv/lib/python3.11/site-packages/oletools/olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes

@decalage2 decalage2 self-assigned this Mar 5, 2023
@decalage2 decalage2 added this to the oletools 0.60 milestone Mar 5, 2023
@takeruko takeruko mentioned this issue Mar 14, 2023
Closed
@gjvdkamp
Copy link

gjvdkamp commented Jan 28, 2024
edited
Loading

Hi, getting this error too, any idea how to get around this?

olevba 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
===============================================================================
FILE: 20231212 Trial Balance Pull.xlsm
Type: OpenXML
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0004
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Gert-JanvanderKamp\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO Main 
in file: xl/vbaProject.bin - OLE stream: 'Main'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Option Explicit

Sub buttonGetOrg()
'Button to get organisation list

@gjvdkamp gjvdkamp mentioned this issue Jan 30, 2024
Merged
@decalage2
Copy link
Owner

Fixed by PR #723

@decalage2 decalage2 linked a pull request Jan 31, 2024 that will close this issue
olevba: add projectcompatversion record #723
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.60
Development

Successfully merging a pull request may close this issue.

olevba: add projectcompatversion record kijeong/oletools
4 participants
@gjvdkamp @decalage2 @yuichi-github @zin-htet-aung