oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
For each CLSID, we could add a tag to show if it is suspicious (e.g. related to a CVE or a Package object). This would require to change the format of the dict to have multiple values, either a tuple or an object. In this case, need to keep a copy of KNOWN_CLSIDS with the current format, for backwards compatibility.
Alternative: add a function is_suspicious which just checks the description string for the presence of the keywords "CVE" or "package". Or add text tags inside the description string, such as "[SUSPICIOUS]".
For each CLSID, we could add a tag to show if it is suspicious (e.g. related to a CVE or a Package object). This would require to change the format of the dict to have multiple values, either a tuple or an object. In this case, need to keep a copy of KNOWN_CLSIDS with the current format, for backwards compatibility.
Alternative: add a function
is_suspicious
which just checks the description string for the presence of the keywords "CVE" or "package". Or add text tags inside the description string, such as "[SUSPICIOUS]".