detect_vba_macros() false positives?

Question

detect_vba_macros() false positives?

Opened this issue 4 months ago · 2 comments

Affected tool:
olevba

Describe the bug
I'm using the olevba Python module to process files from multiple source. I'm using the following code to detect interesting files (with macros):

if vbaparser.detect_vba_macros():
   do_more_stuff()

Many files are detected as containing macros even if they don't contain valid OLE streams.

Is there another way to properly detect the presence of VBA macros?

Answer 1 · 2024-05-20T22:08:06.000Z

Hi @xme, indeed the method detect_vba_macros only checks for the presence of specific storages (folders) in the structure of OLE files, or streams with specific bytes that are found in VBA projects. So it will return True if a file contains those storages or streams, even if the VBA project streams are corrupt. (this may happen when a document is "cleaned" by some antivirus, for example)

Maybe you can try get_vba_code_all_modules or extract_all_macros? It will attempt to parse and decompress all VBA modules. If there is some output and no error then there's a good chance that there is a valid VBA project in the file.
But it looks like exceptions are caught, so not sure you will actually get errors... 🤔

Answer 2 · 2024-05-21T05:35:33.000Z

Tx! I'll investigate this way!