search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.94k stars 565 forks source link

RTFObj doesn't work on RTF's containing OLE2LNK objects #712

Open tlansec opened 3 years ago

tlansec commented 3 years ago

Affected tool: rtfobj

Describe the bug When using rtfobj against an RTF that contains an OLE2LNK object the current logic tries to run a string-based regex against a bytearray. This can be fixed by modifying the following line from:

found_list = re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data)

to:

found_list = re.findall(b'[a-fA-F0-9\x0D\x0A]{128,}',data)

File/Malware sample to reproduce the bug https://hybrid-analysis.com/sample/86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d

How To Reproduce the bug rtfobj.exe foo.mlwr

Expected behavior It should print a summary of the objects in the file

Console output / Screenshots

λ rtfobj.exe 86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d.MLWR
rtfobj 0.60 on Python 3.6.8 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d.MLWR' - size: 5758 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\Scripts\rtfobj.exe\__main__.py", line 7, in <module>
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\rtfobj.py", line 1081, in main
    save_object=options.save_object)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\rtfobj.py", line 927, in process_file
    found_list =  re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\re.py", line 222, in findall
    return _compile(pattern, flags).findall(string)
TypeError: cannot use a string pattern on a bytes-like object

Version information:

decalage2 commented 3 years ago

Good catch, thanks!

BrianStadnicki commented 3 years ago

I believe this is a duplicate issue of #538, for which there is a waiting pull request at #566. I'll try looking into updating that PR for the current version of rtfobj.