olevba: Excel Macros (.xls & .xlsm) falsely flag as containing Hex Strings & Suspicious Keywords

[CanIPhish]

Affected tool: olevba

Describe the bug olevba flags excel macro-enabled documents (.xls & .xlsm) as containing suspicious hex strings and suspicious keywords on any document scanned - using olevba 0.55.dev3 or 0.54.2 on Python 3.7.4

How To Reproduce the bug

1. Create an excel macro with nothing other than the below function: Private Sub Workbook_Open() MsgBox "This is fun" End Sub

2. Run olevba '--decode' shows the Hex Strings being flagged, '--triage' shows Hex Strings and Suspicious Keywords being flagged olevba --decode olevba --triage

Console output / Screenshots

Version information:

• OS: Windows 10
• OS version: v1903 (OS Build 18362.418)
• Python version: 3.7.4 - 64 bits
• oletools version: olevba 0.55.dev3 or 0.54.2

[SREEKANTHS1991]

1, While running olevba.py script getting above error and using updated oletools version , is the fix available ?

or any way to fix this issue ?

[decalage2]

Hi, the hex strings detection is not perfect and it can often trigger false positives when there are large numbers somewhere in the code. Quite often, this is due to numbers that appear in the VBA attributes at the beginning of a macro, and those attributes are hidden by default. Please run this command to confirm if this is the case: olevba --attr --decode <your file>

[SREEKANTHS1991]

--attr --decode

Thanks for your reply , as I have created simple macro enabled file and output below as requested.

[recreator66]

Any update on this issue @decalage2?

I am receiving the same output. In addition, the Base64 decoding incorrectly shows the sheet name as suspicious.

Version information: OS: Ubuntu OS Version: 22.04.3 LTS Python version: 3.10.12 oletools version: 0.60.1