extract_form_strings() not parsing data from "f" (form) streamΒ #443
Description
Affected tool:
olevba
Describe the bug
extract_form_strings() attempts to parse strings out of a form's "o" object stream, but not the "f" (form) stream. Recent Emotet doc samples are storing data in the ControlTipText in the "f" streams.
File/Malware sample to reproduce the bug
https://www.hybrid-analysis.com/sample/ff70948e53b3125d6019c6aec7af9e0c9dcdac12e3c3e1a4087f54ab07c3a610?environmentId=100
How To Reproduce the bug
Use extract_form_strings() on the above document. The data in the "f" stream is not parsed.
Expected behavior
Olevba extract_form_strings() should parse both the "f" and "o" streams for strings.