search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.88k stars 565 forks source link

Not a well-formed OLE object #405

Open HHJazi opened 5 years ago

HHJazi commented 5 years ago

Affected tool: rtfobj

Describe the bug A clear and concise description of what the bug is.

File/Malware sample to reproduce the bug e7f997778ca54b87eb4109d6d4bd5a905e8261ad410a088daec7f3f695bb8189

How To Reproduce the bug 1- rtfobj filename 2- Extract object using rtfdump and then use rtfobj to extract oleobject

Expected behavior The rft file exploit CVE-2017-11882 and the exception is to extract the ole object.

Console output / Screenshots

File: 'e7f997778ca54b87eb4109d6d4bd5a905e8261ad410a088daec7f3f695bb8189' - size: 7327957 bytes ---+----------+--------------------------------------------------------------- id |index |OLE Object
---+----------+--------------------------------------------------------------- DEBUG Start object data at index 4F2100h DEBUG \bin: reading 111111111111111111111111 bytes of binary data DEBUG Group Level = 6, closing group DEBUG Group Level = 5, closing group DEBUG Group Level = 4, closing group DEBUG Group Level = 3, closing group DEBUG Close object data at index 1787586C4FA8A06B9306h DEBUG OLE version=7D7D7D01 - Format ID=20203530 DEBUG *** Not an OLE 1.0 Object DEBUG Group Level = 2, closing group DEBUG Group Level = 1, closing group 0 |004F2100h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------

Version information:

Additional context Add any other context about the problem here.

decalage2 commented 5 years ago

sample: https://app.any.run/tasks/2f3285a6-3f18-43aa-a06a-c2cbcbd683be