Skip to content

Parsing error " ValueError: negative seek value " while parsing sample with olevba 0.60.2 #869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ghanashyams opened this issue Mar 5, 2025 · 2 comments
Open

Parsing error " ValueError: negative seek value " while parsing sample with olevba 0.60.2 #869

ghanashyams opened this issue Mar 5, 2025 · 2 comments
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.60

Comments

@ghanashyams
Copy link

ghanashyams commented Mar 5, 2025
edited
Loading

21585355498.zip

Affected tool: olevba

Describe the bug
The sample with hash 108519732a9e9c01e4a708c97c016ce31704178648b74b3155a8b91cd7fdde07 (available on VirusTotal) is not parsed and not handled correctly by olevba, exception raised . Detailed stack trace of parsing issue is as below:

C:\Windows\System32>olevba C:\samples\108519732a9e9c01e4a708c97c016ce31704178648b74b3155a8b91cd7fdde07

olevba 0.60.2 on Python 3.8.19 - http://decalage.info/python/oletools
ERROR Unhandled exception in main: negative seek value -147
Traceback (most recent call last):
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\site-packages\oletools\olevba.py", line 4670, in main
curr_return_code = process_file(filename, data, container, options)
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\site-packages\oletools\olevba.py", line 4473, in process_file
vba_parser = VBA_Parser_CLI(filename, data=data, container=container,
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\site-packages\oletools\olevba.py", line 4032, in init
super(VBA_Parser_CLI, self).init(*args, **kwargs)
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\site-packages\oletools\olevba.py", line 2757, in init
self.ftg = ftguess.FileTypeGuesser(self.filename, data=data)
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\site-packages\oletools\ftguess.py", line 845, in init
if FType_Generic_OpenXML.recognize(self):
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\site-packages\oletools\ftguess.py", line 405, in recognize
root_rels = ftg.zipfile.read('_rels/.rels')
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\zipfile.py", line 1483, in read
with self.open(name, "r", pwd) as fp:
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\zipfile.py", line 1538, in open
fheader = zef_file.read(sizeFileHeader)
File "C:\ProgramData\anaconda3\envs\py38ole60\lib\zipfile.py", line 765, in read
self._file.seek(self._pos)
ValueError: negative seek value -147

File/Malware sample to reproduce the bug
Sample attached password - infected

How To Reproduce the bug
command to scan -> olevba 108519732a9e9c01e4a708c97c016ce31704178648b74b3155a8b91cd7fdde07

Expected behavior
Should not cause exception.

Console output / Screenshots
If applicable, add screenshots to help explain your problem.
Use the option "-l debug" to add debugging information, if possible.

Version information:

  • OS: Windows/Linux/
  • OS version: x.xx - 64 bits
  • Python version: 3.8
  • oletools version: 0.60.2

Additional context
Add any other context about the problem here.
@decalage2 decalage2 self-assigned this Mar 8, 2025
@decalage2 decalage2 added this to the oletools 0.60 milestone Mar 8, 2025
@ghanashyams
Copy link
Author

ghanashyams commented Apr 10, 2025
edited
Loading

maybe this will solve your problem click

pl paste the code snippet or text that you feel could help. The link u asked to click seem to be malicious as per VT.

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.60
Development

No branches or pull requests
3 participants
@decalage2 @ghanashyams and others