Incorrect OLE FAT, sector out of range (Odd malware sample) Sort of related to #27

Issue #30 resolved
Rathernot Say
created an issue

Hello,

Seems like the malware creators are intentionally modifying code to evade this analysis.

The sample is malicious (no password on ZIP) it's in about all the sandboxes (virustotal, etc)

No tools have been able to extract / detect the VBA code that I can see with a hex editor.

when using olefile 0.43 I get this error

olefile version 0.43 2016-02-02 - http://www.decalage.info/en/olefile

ERROR    Error while parsing file 'MALWARE.doc'
Traceback (most recent call last):
  File "C:\Users\admin\Desktop\TEST\Maybe_me\oletools-0.46 & olefile-0.43\thirdparty\olefile\olefile.py", line 2321, in <module>
    ole = OleFileIO(filename)#, raise_defects=DEFECT_INCORRECT)
  File "C:\Users\admin\Desktop\TEST\Maybe_me\oletools-0.46 & olefile-0.43\thirdparty\olefile\olefile.py", line 1168, in __init__
    self.open(filename, write_mode=write_mode)
  File "C:\Users\admin\Desktop\TEST\Maybe_me\oletools-0.46 & olefile-0.43\thirdparty\olefile\olefile.py", line 1434, in open
    self.loaddirectory(self.first_dir_sector)#i32(header, 48))
  File "C:\Users\admin\Desktop\TEST\Maybe_me\oletools-0.46 & olefile-0.43\thirdparty\olefile\olefile.py", line 1767, in loaddirectory
    self.directory_fp = self._open(sect)
  File "C:\Users\admin\Desktop\TEST\Maybe_me\oletools-0.46 & olefile-0.43\thirdparty\olefile\olefile.py", line 1858, in _open
    filesize=self._filesize)
  File "C:\Users\admin\Desktop\TEST\Maybe_me\oletools-0.46 & olefile-0.43\thirdparty\olefile\olefile.py", line 789, in __init__
    raise IOError('incorrect OLE FAT, sector index out of range')
IOError: incorrect OLE FAT, sector index out of range

PS: thank you for all your work onto this code (it's the most robust tool I've found)

Comments (7)

  1. Philippe Lagadec repo owner

    Hi @Rathernot Say, I partly fixed this issue in the latest commits. Now olefile can parse a file with an incomplete directory and incomplete streams, like your sample.

    However, it is strange that MS Word accepts this file and even finds the VBA macros, because due to the incomplete directory, the streams containing macros are orphans. MS Word should not see them.

  2. Philippe Lagadec repo owner

    I also opened the file in MS Word 2003: the document is opened without any error message. But when I look at the VB editor (Alt+F11), no VBA code shows up. When I open the Macros window (Alt+F8), I see the names of 4 VBA macros, but nothing happens when I click on the edit button.

    It would be good to test it with Word 2007-2016, just to confirm it's the same behaviour.

    So I believe the document is incomplete, and its malicious payload is not effective. Nevertheless, the new version of olefile allows to access all the content (streams) that is still readable, without raising an exception.

  3. Philippe Lagadec repo owner

    Now I can confirm that the file is incomplete: the original sample is https://www.hybrid-analysis.com/sample/2a5f89cab2db1a1e75e24f50728993e682c12bbfad635c06119452ebe5572efa?environmentId=4

    The stream containing the macro code is incomplete, therefore it is not possible for olevba or oledump to extract the code. This is also why the macro cannot run in MS Word.

    However, I fixed olefile to read streams as much as possible without raising an exception by default.

  4. Log in to comment