diff --git a/oletools/ftguess.py b/oletools/ftguess.py index 3b7bd73..9368b40 100644 --- a/oletools/ftguess.py +++ b/oletools/ftguess.py @@ -518,14 +518,14 @@ class FTYpe_Excel(FType_Base): name = 'MS Excel (generic)' longname = 'MS Excel Workbook or Template (generic)' -class FType_Excel97(FTYpe_Excel): +class FType_Excel97(FTYpe_Excel, FType_Generic_OLE): filetype = FTYPE.EXCEL97 name = 'MS Excel 97 Workbook' longname = 'MS Excel 97-2003 Workbook or Template' CLSIDS = ('00020820-0000-0000-C000-000000000046',) extensions = ['xls', 'xlt', 'xla'] -class FType_Excel5(FTYpe_Excel): +class FType_Excel5(FTYpe_Excel, FType_Generic_OLE): filetype = FTYPE.EXCEL5 name = 'MS Excel 5.0/95 Workbook' longname = 'MS Excel 5.0/95 Workbook, Template or Add-in' @@ -533,7 +533,7 @@ class FType_Excel5(FTYpe_Excel): extensions = ['xls', 'xlt', 'xla'] # TODO: this CLSID is also used in Excel addins (.xla) saved by MS Excel 365 -class FTYpe_Excel2007(FTYpe_Excel): +class FTYpe_Excel2007(FTYpe_Excel, FType_Generic_OpenXML): 'Base class for all MS Excel 2007 file types' name = 'MS Excel 2007+ (generic)' longname = 'MS Excel 2007+ Workbook or Template (generic)' diff --git a/oletools/oleid.py b/oletools/oleid.py index e322b92..48fe8ce 100644 --- a/oletools/oleid.py +++ b/oletools/oleid.py @@ -100,6 +100,7 @@ if _parent_dir not in sys.path: from oletools.thirdparty.tablestream import tablestream from oletools import crypto, ftguess, olevba, mraptor from oletools.common.log_helper import log_helper +from oletools.common.codepages import get_codepage_name # === LOGGING ================================================================= @@ -300,23 +301,25 @@ class OleID(object): :returns: 2 :py:class:`Indicator`s (for presence of summary info and application name) or None if file was not opened """ - # TODO: use get_metadata - suminfo = Indicator('has_suminfo', False, - name='Has SummaryInformation stream') - self.indicators.append(suminfo) - appname = Indicator('appname', 'unknown', _type=str, - name='Application name') - self.indicators.append(appname) if not self.ole: - return None, None - self.suminfo_data = {} - # check stream SummaryInformation (not present e.g. in encrypted ppt) - if self.ole.exists("\x05SummaryInformation"): - suminfo.value = True - self.suminfo_data = self.ole.getproperties("\x05SummaryInformation") - # check application name: - appname.value = self.suminfo_data.get(0x12, 'unknown') - return suminfo, appname + return None + meta = self.ole.get_metadata() + appname = Indicator('appname', meta.creating_application, _type=str, + name='Application name', description='Application name declared in properties', + risk=RISK.INFO) + self.indicators.append(appname) + codepage_name = None + if meta.codepage is not None: + codepage_name = '{}: {}'.format(meta.codepage, get_codepage_name(meta.codepage)) + codepage = Indicator('codepage', codepage_name, _type=str, + name='Properties code page', description='Code page used for properties', + risk=RISK.INFO) + self.indicators.append(codepage) + author = Indicator('author', meta.author, _type=str, + name='Author', description='Author declared in properties', + risk=RISK.INFO) + self.indicators.append(author) + return appname, codepage, author def get_indicator(self, indicator_id): """Helper function: returns an indicator if present (or None)""" @@ -471,7 +474,12 @@ class OleID(object): """ vba_indicator = Indicator(_id='vba', value='No', _type=str, name='VBA Macros', description='This file does not contain VBA macros.', - risk=RISK.NONE) + risk=RISK.NONE, hide_if_false=False) + if self.ftg.filetype == ftguess.FTYPE.RTF: + # For RTF we don't call olevba otherwise it triggers an error + vba_indicator.description = 'RTF files cannot contain VBA macros' + self.indicators.append(vba_indicator) + return vba_indicator try: vba_parser = olevba.VBA_Parser(filename=self.filename, data=self.data) if vba_parser.detect_vba_macros():