Skip to content

[BUG] ScanEncryptedDoc not Processing Known Encrypted Sample #278

New issue
New issue
Open
Open
[BUG] ScanEncryptedDoc not Processing Known Encrypted Sample#278
Labels
bugSomething isn't working
@ryanohoro

Description

@ryanohoro
ryanohoro
opened on Jan 9, 2023

Describe the bug

When running the fixture src/python/strelka/tests/fixtures/test_password.doc through openshot with the current backend configuration, ScanEncryptedDoc does not process it, as would be expected.

Steps to reproduce

./strelka-oneshot -f src/python/strelka/tests/fixtures/test_password.doc  -l -

{
    "file": {
        "depth": 0,
        "flavors": {
            "mime": ["application/msword"],
            "yara": ["olecf_file"]
        },
        "scanners": ["ScanEntropy", "ScanExiftool", "ScanFooter", "ScanHash", "ScanHeader", "ScanOle", "ScanVba", "ScanYara"],
        "size": 51200,
        "tree": {
            "node": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
            "root": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd"
        }
    },
    "request": {
        "attributes": {
            "filename": "src/python/strelka/tests/fixtures/test_password.doc"
        },
        "client": "go-oneshot",
        "id": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
        "source": "ubuntu",
        "time": 1673283356
    }
}

Expected behavior

{
    "file": {
        "depth": 0,
        "flavors": {
            "mime": ["application/msword"],
            "yara": ["olecf_file"]
        },
        "scanners": ["ScanEncryptedDoc", "ScanEntropy", "ScanExiftool", "ScanFooter", "ScanHash", "ScanHeader", "ScanOle", "ScanVba", "ScanYara"],
        "size": 51200,
        "tree": {
            "node": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
            "root": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd"
        }
    },
    "request": {
        "attributes": {
            "filename": "src/python/strelka/tests/fixtures/test_password.doc"
        },
        "client": "go-oneshot",
        "id": "daf99d7c-0455-4d97-9f32-6c1d3f00a0cd",
        "source": "ubuntu",
        "time": 1673283356
    }
}

Screenshots

Release

  • Release: 0.22.12.08

Additional context

Linux file accurately identifies the old-style Word document as password-protected.

file src/python/strelka/tests/fixtures/test_password.doc

test_password.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Ryan.OHoro, Template: Normal.dotm, Last Saved By: Ryan.OHoro, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Dec 20 04:28:00 2022, Last Saved Time/Date: Tue Dec 20 04:28:00 2022, Number of Pages: 1, Number of Words: 430, Number of Characters: 2452, Security: 1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions