Multiple issues extracting macro.

[tlansec]

Affected tool:
olevba

Describe the bug
OleVBA fails to extract embedded macro in document due to multiple errors.

File/Malware sample to reproduce the bug
https://hybrid-analysis.com/sample/bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9

How To Reproduce the bug
λ olevba bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9.MLWR

Expected behavior
It should extract the macros, but it fails for a number of reasons - the errors are a mix of:

1. Not finding an expected marker in PROJECTDOCSTRING_Id &&
2. Parts of the code where it attempts to concat a bytestring and a string.

Resolving part 2) is trivial but I'm unsure on part 1.

Console output / Screenshots

olevba 0.55.1 on Python 3.6.8 - http://decalage.info/python/oletools
===============================================================================
FILE: bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9.MLWR
Type: OLE
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3304, in extract_macros
    dir_path, self.relaxed):
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 2059, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed=False)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 1721, in __init__
    self.check_value('PROJECTDOCSTRING_Id', 0x0005, projectdocstring_id)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 1956, in check_value
    raise UnexpectedDataError(self.dir_path, name, expected, value)
oletools.olevba.UnexpectedDataError: Unexpected value in Macros/VBA/dir for variable PROJECTDOCSTRING_Id: expected 0005 but found 0072!
Error: unpack_from requires a buffer of at least 2 bytes.
Error: unpack_from requires a buffer of at least 4 bytes.
Error: unpack_from requires a buffer of at least 4 bytes.
ERROR    Error processing file bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9.MLWR (can't concat str to bytes)!
Traceback (most recent call last):
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3851, in process_file
    self.run_analysis(show_decoded_strings=show_decoded_strings, deobfuscate=deobfuscate)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3749, in run_analysis
    self.analyze_macros(show_decoded_strings, deobfuscate)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3386, in analyze_macros
    for (_, _, _, vba_code) in self.extract_all_macros():
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3365, in extract_all_macros
    for (subfilename, stream_path, vba_filename, vba_code) in self.extract_macros():
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3349, in extract_macros
    if self.detect_vba_stomping():
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3697, in detect_vba_stomping
    vba_code_all_modules += vba_code + '\n'
TypeError: can't concat str to bytes

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 4147, in process_file
    deobfuscate=options.deobfuscate, pcode=options.pcode)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\olevba.py", line 3936, in process_file
    raise ProcessingError(self.filename, exc)
oletools.olevba.ProcessingError: Error processing file bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9.MLWR (can't concat str to bytes)

Version information:

• OS: Windows 10
• OS version: /64 bits
• Python version: 3.6.8 64bit
• oletools version: 0.55.1

Additional context

Nope!

[decalage2]

I think this is a duplicate of #455 and if so, it has been fixed in the latest dev version. Will check and update this.

[tlansec]

OK - thanks for the fast response.

Cheers,
Tom

[decalage2]

Unfortunately the sample cannot be downloaded from hybrid-analysis.com, and I cannot find it elsewhere. Could you please make it downloadable on HA, or else upload it here in a password-protected zip? Thanks.
Otherwise if you confirm it works fine with oletools 0.56 I'll just close the issue.

[tlansec]

Hello,

Apologies for that - I uploaded it to HA and had done so deliberately in order to create this issue - it should allow you to download the sample if you have a public account.

In terms of how it works, it does produce an error but also produces some valid output:

λ olevba bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9.MLWR
olevba 0.56 on Python 3.6.8 - http://decalage.info/python/oletools
===============================================================================
FILE: bbe0ecfae4eea9b798676c8a898b034bfbc63c712e83dbc0338dc793c7490fe9.MLWR
Type: OLE
ERROR    invalid value for PROJECTDOCSTRING_Id expected 0005 got 0072
...
[valid output]

This might be because it looks like that particular sample has been messed around with by AV vendors removing macro code.

I think the warning message is probably OK, but perhaps the error message should be debug/warning? In any case, the original ticket can now be closed.

Cheers,
Tom

[decalage2]

I do have a HA account, but the sample is tagged as not downloadable.
The error message you get with 0.56 is indeed a warning: since version 0.56 it does not stop the analysis. I changed it to log a warning instead of an error in the next release.
I confirm it's a duplicate of issue #455, so I'm closing it. In any case, thanks for reporting the issue.