Skip to content

Error with PE32 file #354

New issue
New issue
Closed
Closed
Error with PE32 file#354
@aoshiken

Description

@aoshiken
aoshiken
opened on Sep 23, 2025

While analyzing a PE32 malware file exiftool throws the following error:

github/exiftool$ ./exiftool /tmp/malware.exe.xxx
'x' outside of string in unpack at lib/Image/ExifTool.pm line 5927.

Find detailed info below:

github/exiftool$ git log
commit 2b14d194b18c61e9ecb9e01093eeac889cb169de (HEAD -> master, tag: 13.37, origin/master, origin/HEAD)
Author: exiftool <exiftool@users.sourceforge.net>
Date:   Mon Sep 22 10:26:48 2025 -0400

    Update to 13.37

github/exiftool$ ./exiftool -v /tmp/malware.exe.xxx
  ExifToolVersion = 13.37
  FileName = malware.exe.xxx
  Directory = /tmp
  FileSize = 296960
  FileModifyDate = 1758607677
  FileAccessDate = 1758607688
  FileInodeChangeDate = 1758607677
  FilePermissions = 33188
  FileType = Win32 EXE
  FileTypeExtension = EXE
  MIMEType = application/octet-stream
  + [BinaryData directory, 244 bytes]
  | MachineType = 332
  | TimeStamp = 1083684495
  | ImageFileCharacteristics = 783
  | PEType = 267
  | LinkerVersion = 6 0
  | CodeSize = 118784
  | InitializedDataSize = 28672
  | UninitializedDataSize = 147456
  | EntryPoint = 157782
  | OSVersion = 4 0
  | ImageVersion = 0 0
  | SubsystemVersion = 4 0
  | Subsystem = 2
Unknown (0x800003d0) resource:
Bitmap resource:
Icon resource:
Menu resource:
Dialog resource:
Accelerator resource:
Group Icon resource:
Version resource:
  + [BinaryData directory, 52 bytes]
  | FileVersionNumber = 48 172 225 53133
  | ProductVersionNumber = 67 59 72 36672
  | FileFlagsMask = 63
  | FileFlags = 40
  | FileOS = 14221316
  | ObjectFileType = 1
  | FileSubtype = 0
  LanguageCode = 0409
  CharacterSet = 04B0
  Comments = dearth fevered
  CompanyName = zoneLINK
  FileDescription = dots exceptionally
  FileVersion = 150, 68, 33, 35
  InternalName = coasted desperately
  LegalCopyright = capitalist flushes
  LegalTrademarks = censure foreigners
  OriginalFileName = erratic.exe
  PrivateBuild = convicting
  ProductName = dwindle flickered
  ProductVersion = 239, 100, 116, 108
  SpecialBuild = fish
'x' outside of string in unpack at lib/Image/ExifTool.pm line 5927.

It's a malware so keep care, I share it 7zipped with its extension renamed to '.xxx' at https://gofile.io/d/GLUM2Q

The 7z password is E.X%iftoo13$

Many thanks for your work, man.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions