oleobj: detect remote templates and other remote references in OLE files

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

http://www.decalage.info/python/oletools

Other

2.81k stars 560 forks source link

oleobj: detect remote templates and other remote references in OLE files #826

Open decalage2 opened 9 months ago

decalage2 commented 9 months ago

oleobj detects remote references in OpenXML files (docx, xlsx, pptx), but not in legacy OLE files (doc, xls, ppt). For example this sample is not detected:

It looks like the remote template reference is in the 1Table stream (e.g. template URL in Unicode), so a parser would need to be implemented unless we can find one.

decalage2 commented 3 months ago

Partial 1Table parser: http://blog.digitally-disturbed.co.uk/2012/04/reading-microsoft-word-doc-files-in.html See also https://github.com/decalage2/oletools/issues/81#issuecomment-292779732 to select 1Table or 0Table. And https://github.com/decalage2/olefile/pull/114/files also parses 1Table partially.