search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.92k stars 563 forks source link

rtfobj: should check class name when CLSID is not present #353

Open decalage2 opened 6 years ago

decalage2 commented 6 years ago

For some samples like the following, there is no CLSID and rtfobj does not detect the type of object: https://www.hybrid-analysis.com/sample/3cf7272c35aad460bd3c162e4e1499c383ac06dec02ef36e506eb50d9e84116f/5b9f46d47ca3e170d27c8508

rtfobj 0.53.1 on Python 3.6.4 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '3cf7272c35aad460bd3c162e4e1499c383ac06dec02ef36e506eb50d9e84116f.bin' - size: 454751 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
0  |0006E59Eh |format_id: 2 (Embedded)
   |          |class name: b'eQuAtIoN.3'
   |          |data size: 1273
---+----------+---------------------------------------------------------------

In that case, rtfobj should use the class name to detect well-known object types such as the MS Equation editor here (CVE-2017-11882).

decalage2 commented 5 years ago

Also, need to check class names in lowercase, because they are not case sensitive. E.g. the following code is not right:

 if rtfobj.class_name == b'OLE2Link':
decalage2 commented 5 years ago

To fully close this one, we need to have a list of class names matching each CLSID, as it is not limited to "equation.3".