Commit 3764d73b300b71994249dc4d17ca997516da4ce8
1 parent
0062b0f2
oleid: fixed XLM macro detection, added OleID.file_on_disk
Showing
1 changed file
with
22 additions
and
10 deletions
oletools/oleid.py
| ... | ... | @@ -230,7 +230,9 @@ class OleID(object): |
| 230 | 230 | """ |
| 231 | 231 | if filename is None and data is None: |
| 232 | 232 | raise ValueError('OleID requires either a file path or file data, or both') |
| 233 | + self.file_on_disk = False # True = file on disk / False = file in memory | |
| 233 | 234 | if data is None: |
| 235 | + self.file_on_disk = True # useful for some check that don't work in memory | |
| 234 | 236 | with open(filename, 'rb') as f: |
| 235 | 237 | self.data = f.read() |
| 236 | 238 | self.data_bytesio = io.BytesIO(self.data) |
| ... | ... | @@ -531,16 +533,26 @@ class OleID(object): |
| 531 | 533 | vba_indicator.risk = RISK.ERROR |
| 532 | 534 | vba_indicator.value = 'Error' |
| 533 | 535 | vba_indicator.description = 'Error while checking VBA macros: %s' % str(e) |
| 534 | - if vba_parser is not None: | |
| 535 | - try: | |
| 536 | - if vba_parser.detect_xlm_macros(): | |
| 537 | - xlm_indicator.value = 'Yes' | |
| 538 | - xlm_indicator.risk = RISK.MEDIUM | |
| 539 | - xlm_indicator.description = 'This file contains XLM macros. Use olevba to analyse them.' | |
| 540 | - except Exception as e: | |
| 541 | - xlm_indicator.risk = RISK.ERROR | |
| 542 | - xlm_indicator.value = 'Error' | |
| 543 | - xlm_indicator.description = 'Error while checking XLM macros: %s' % str(e) | |
| 536 | + # Check XLM macros only for Excel file types: | |
| 537 | + if self.ftg.is_excel(): | |
| 538 | + # TODO: for now XLM detection only works for files on disk... So we need to reload VBA_Parser from the filename | |
| 539 | + # To be improved once XLMMacroDeobfuscator can work on files in memory | |
| 540 | + if self.file_on_disk: | |
| 541 | + try: | |
| 542 | + vba_parser = olevba.VBA_Parser(filename=self.filename) | |
| 543 | + if vba_parser.detect_xlm_macros(): | |
| 544 | + xlm_indicator.value = 'Yes' | |
| 545 | + xlm_indicator.risk = RISK.MEDIUM | |
| 546 | + xlm_indicator.description = 'This file contains XLM macros. Use olevba to analyse them.' | |
| 547 | + except Exception as e: | |
| 548 | + xlm_indicator.risk = RISK.ERROR | |
| 549 | + xlm_indicator.value = 'Error' | |
| 550 | + xlm_indicator.description = 'Error while checking XLM macros: %s' % str(e) | |
| 551 | + else: | |
| 552 | + xlm_indicator.risk = RISK.UNKNOWN | |
| 553 | + xlm_indicator.value = 'Unknown' | |
| 554 | + xlm_indicator.description = 'For now, XLM macros can only be detected for files on disk, not in memory' | |
| 555 | + | |
| 544 | 556 | return vba_indicator, xlm_indicator |
| 545 | 557 | |
| 546 | 558 | def check_flash(self): | ... | ... |