Commit ae46dbd0f0775ab3cfaea40835203b641496b81e
1 parent
c64d6972
correct bug in olevba with strrevese string
Showing
1 changed file
with
6 additions
and
4 deletions
oletools/olevba.py
| ... | ... | @@ -1933,8 +1933,8 @@ class VBA_Scanner(object): |
| 1933 | 1933 | # join long lines ending with " _": |
| 1934 | 1934 | self.code = vba_collapse_long_lines(vba_code) |
| 1935 | 1935 | self.code_hex = b'' |
| 1936 | - self.code_hex_rev = '' | |
| 1937 | - self.code_rev_hex = '' | |
| 1936 | + self.code_hex_rev = b'' | |
| 1937 | + self.code_rev_hex = b'' | |
| 1938 | 1938 | self.code_base64 = b'' |
| 1939 | 1939 | self.code_dridex = '' |
| 1940 | 1940 | self.code_vba = '' |
| ... | ... | @@ -1972,9 +1972,9 @@ class VBA_Scanner(object): |
| 1972 | 1972 | # if the code contains "StrReverse", also append the hex strings in reverse order: |
| 1973 | 1973 | if self.strReverse: |
| 1974 | 1974 | # StrReverse after hex decoding: |
| 1975 | - self.code_hex_rev += '\n' + decoded[::-1] | |
| 1975 | + self.code_hex_rev += b'\n' + decoded[::-1] | |
| 1976 | 1976 | # StrReverse before hex decoding: |
| 1977 | - self.code_rev_hex += '\n' + binascii.unhexlify(encoded[::-1]) | |
| 1977 | + self.code_rev_hex += b'\n' + binascii.unhexlify(encoded[::-1]) | |
| 1978 | 1978 | #example: https://malwr.com/analysis/NmFlMGI4YTY1YzYyNDkwNTg1ZTBiZmY5OGI3YjlhYzU/ |
| 1979 | 1979 | #TODO: also append the full code reversed if StrReverse? (risk of false positives?) |
| 1980 | 1980 | # Detect Base64-encoded strings |
| ... | ... | @@ -2006,6 +2006,8 @@ class VBA_Scanner(object): |
| 2006 | 2006 | (self.code_dridex, 'Dridex'), |
| 2007 | 2007 | (self.code_vba, 'VBA expression'), |
| 2008 | 2008 | ): |
| 2009 | + if isinstance(code,bytes): | |
| 2010 | + code=code.decode('utf-8','replace') | |
| 2009 | 2011 | self.autoexec_keywords += detect_autoexec(code, obfuscation) |
| 2010 | 2012 | self.suspicious_keywords += detect_suspicious(code, obfuscation) |
| 2011 | 2013 | self.iocs += detect_patterns(code, obfuscation) | ... | ... |