From 57e730fad2001adbdda994037c3053df1e946c81 Mon Sep 17 00:00:00 2001
From: Willi Ballenthin <wballenthin@hex-rays.com>
Date: Thu, 7 May 2026 12:33:52 +0200
Subject: [PATCH] fix: binja embedded PE yields FileOffsetAddress via segment
 data_offset

carve_pe returns offsets into a raw byte buffer read from the segment.
Convert to file offset using the segment's data_offset rather than
emitting a virtual address.
---
 capa/features/extractors/binja/file.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/capa/features/extractors/binja/file.py b/capa/features/extractors/binja/file.py
index 9ca96ec7..69aafd23 100644
--- a/capa/features/extractors/binja/file.py
+++ b/capa/features/extractors/binja/file.py
@@ -46,7 +46,8 @@ def check_segment_for_pe(bv: BinaryView, seg: Segment) -> Iterator[tuple[Feature
     buf = bv.read(seg.start, seg.length)
 
     for offset, _ in capa.features.extractors.helpers.carve_pe(buf, start):
-        yield Characteristic("embedded pe"), AbsoluteVirtualAddress(seg.start + offset)
+        if offset < seg.data_length:
+            yield Characteristic("embedded pe"), FileOffsetAddress(seg.data_offset + offset)
 
 
 def extract_file_embedded_pe(bv: BinaryView) -> Iterator[tuple[Feature, Address]]: