[clamav-users] Sigtool parsing issues
David Shrimpton
d.shrimpton at its.uq.edu.au
Thu Aug 18 07:58:56 UTC 2016
On Tue, 16 Aug 2016, Jack wrote:
> Hello,
>
> I am attempting to dissect a document’s macros using sigtool, but am running into a problem. Nothing is being returned when the following command is run:
>
> $ sigtool --vba '237b81cda8251aac11eaa28387765e6dd165664aa87563a6bce5951dd5ca4de3.bin’
The document isn't a zip file is it ? (Or some other file containing the OLE2 file)
The Microsoft Word 2007+ file I had the same error with was a zip archive so
I had to do a zipinfo to find the vba file , which is the OLE2 file,
then extract that with:
unzip file.doc word/vbaProject.bin
Then run
sigtool --vba=word/vbaProject.bin > macros
sigtool was just failing because the Microsoft Word 2007+ file was not an OLE2.
clamav succeeds as it extracts the OLE2 file from the zip.
oledump must be able to extract the OLE2 file from the zip as well.
The same problem occurs with .docx which are zip but not with .doc
which are 'CDF V2 Document' which are the OLE2 file itself.
--
David Shrimpton
More information about the clamav-users
mailing list