incorrect last sector index in OLE stream (related to #27?)

Issue #29 resolved
Loic Jaquemet
created an issue

Hello, probably in continuation of Issue #27, another piece of malware has find a way to cause issues due to OLE stream corruption.

When using oledump.py on the attached file, the OleFileIO lib raises an error.

Careful, it is a malicious word file. (Dridex)

olefile version: 0.43 - 2016-02-02 (double triple checked)

 python oledump.py SCAN7318_000.DOC

  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      6988 '1Table'
  5:       571 'Macros/PROJECT'
  6:       110 'Macros/PROJECTwm'
  7:        97 'Macros/SamboF/\x01CompObj'
  8:       289 'Macros/SamboF/\x03VBFrame'
  9:       402 'Macros/SamboF/f'
 10:       484 'Macros/SamboF/o'
 11: M   18318 'Macros/VBA/Module1'
Traceback (most recent call last):
  File "../oledump.py", line 1588, in <module>
    sys.exit(Main())
  File "../oledump.py", line 1585, in Main
    return OLEDump(args[0], options)
  File "../oledump.py", line 1472, in OLEDump
    returnCode = OLESub(ole, '', rules, options)
  File "../oledump.py", line 1266, in OLESub
    stream = ole.openstream(fname).read()
  File "/usr/local/lib/python2.7/dist-packages/olefile/olefile.py", line 1955, in openstream
    return self._open(entry.isectStart, entry.size)
  File "/usr/local/lib/python2.7/dist-packages/olefile/olefile.py", line 1858, in _open
    filesize=self._filesize)
  File "/usr/local/lib/python2.7/dist-packages/olefile/olefile.py", line 817, in __init__
    raise IOError('incorrect last sector index in OLE stream')
IOError: incorrect last sector index in OLE stream

Comments (6)

  1. Log in to comment