Error in marptor

Question

Error in marptor

FS-Code-zz opened this issue 2 years ago · 4 comments

Affected tool:
mraptor

Console output / Screenshots

"option "-l debug" is not use"

C:\Users\Frank>mraptor D:\Daten\WINXX\Exel\KontoFrank.xls
MacroRaptor 0.56.2 - http://decalage.info/python/oletools
This is work in progress, please report issues at https://github.com/decalage2/oletools/issues
----------+-----+----+--------------------------------------------------------
Result |Flags|Type|File
----------+-----+----+--------------------------------------------------------
WARNING invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING invalid value for PROJECTLCID_Lcid expected 0409 got 0004
WARNING invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR Error in _extract_vba
Traceback (most recent call last):
File "C:\Users\Frank\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 3526, in extract_macros
for stream_path, vba_filename, vba_code in
File "C:\Users\Frank\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 2094, in _extract_vba
project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\Frank\AppData\Local\Programs\Python\Python311\Lib\site-packages\oletools\olevba.py", line 1752, in init
projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: unpack requires a buffer of 2 bytes
SUSPICIOUS|AWX |OLE:|D:\Daten\WINXX\Exel\KontoFrank.xls

Flags: A=AutoExec, W=Write, X=Execute
Exit code: 20 - SUSPICIOUS

Version information:

OS: Windows
OS version: 21H2 - 64 bits
Python version: 3.11 - 64 bits
oletools -60.1

Additional context
Add any other context about the problem here.

Answer 1 · 2022-11-07T13:44:35.000Z

Hi Frank, could you please share the sample which triggers this error? Either please upload a password-protected file here (using any password but "infected"), or a link to a sandbox where the file can be downloaded (e.g. bazaar.abuse.ch, hybrid-analysis or similar).

Answer 2 · 2022-11-07T18:28:20.000Z

Hi Philippe, the file that was producing the error is one of my XLS files with VBA code that I wrote or recorded myself. There is no virus or other malicious code in this file. I'm happy to leave the file with you, but I will delete the data in the tables because they contain sensitive data about my finances. I will not assign a password. I hope this helps in maintaining your really good script. m.f.g. Frank Von: Philippe Lagadec ***@***.***> Gesendet: Montag, 7. November 2022 14:45 An: decalage2/oletools ***@***.***> Cc: FS-Code-zz ***@***.***>; Author ***@***.***> Betreff: Re: [decalage2/oletools] Error in marptor (Issue #791) Hi Frank, could you please share the sample which triggers this error? Either please upload a password-protected file here (using any password but "infected"), or a link to a sandbox where the file can be downloaded (e.g. bazaar.abuse.ch, hybrid-analysis or similar). — Reply to this email directly, view it on GitHub <#791 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOYTY2MDGATVHCWKNTOFW5DWHEBU5ANCNFSM6AAAAAARYKNYJE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

Answer 3 · 2022-11-08T08:40:15.000Z

Otherwise you can send it by email to decalage {at} laposte {dot} net.

Answer 4 · 2024-01-31T13:49:46.000Z

Fixed by PR #723