Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] ScanEncryptedDoc not Processing Known Encrypted Sample #278

Open
ryanohoro opened this issue Jan 9, 2023 · 0 comments
Open

[BUG] ScanEncryptedDoc not Processing Known Encrypted Sample #278

ryanohoro opened this issue Jan 9, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@ryanohoro
Copy link
Collaborator

Describe the bug

When running the fixture src/python/strelka/tests/fixtures/test_password.doc through openshot with the current backend configuration, ScanEncryptedDoc does not process it, as would be expected.

Steps to reproduce

./strelka-oneshot -f src/python/strelka/tests/fixtures/test_password.doc  -l -

{
    "file": {
        "depth": 0,
        "flavors": {
            "mime": ["application/msword"],
            "yara": ["olecf_file"]
        },
        "scanners": ["ScanEntropy", "ScanExiftool", "ScanFooter", "ScanHash", "ScanHeader", "ScanOle", "ScanVba", "ScanYara"],
        "size": 51200,
        "tree": {
            "node": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
            "root": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd"
        }
    },
    "request": {
        "attributes": {
            "filename": "src/python/strelka/tests/fixtures/test_password.doc"
        },
        "client": "go-oneshot",
        "id": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
        "source": "ubuntu",
        "time": 1673283356
    }
}

Expected behavior

{
    "file": {
        "depth": 0,
        "flavors": {
            "mime": ["application/msword"],
            "yara": ["olecf_file"]
        },
        "scanners": ["ScanEncryptedDoc", "ScanEntropy", "ScanExiftool", "ScanFooter", "ScanHash", "ScanHeader", "ScanOle", "ScanVba", "ScanYara"],
        "size": 51200,
        "tree": {
            "node": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
            "root": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd"
        }
    },
    "request": {
        "attributes": {
            "filename": "src/python/strelka/tests/fixtures/test_password.doc"
        },
        "client": "go-oneshot",
        "id": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
        "source": "ubuntu",
        "time": 1673283356
    }
}

Screenshots

Release

  • Release: 0.22.12.08

Additional context

Linux file accurately identifies the old-style Word document as password-protected.

file src/python/strelka/tests/fixtures/test_password.doc

test_password.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Ryan.OHoro, Template: Normal.dotm, Last Saved By: Ryan.OHoro, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Dec 20 04:28:00 2022, Last Saved Time/Date: Tue Dec 20 04:28:00 2022, Number of Pages: 1, Number of Words: 430, Number of Characters: 2452, Security: 1
@phutelmyer phutelmyer added the bug Something isn't working label Jan 12, 2023
@phutelmyer phutelmyer changed the title ScanEncryptedDoc not Processing Known Encrypted Sample [BUG] ScanEncryptedDoc not Processing Known Encrypted Sample Feb 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryanohoro @phutelmyer