oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
Equation editor exploit are not detected as such. The keyword "equation" in the class name should be a red flag.
the OLE class name is not properly reported, i.e. it should be b'Equation.2' instead of b'Equation.2\x00\x124Vx\x90\x124VxvT2' (split when a null byte is found)
OLE package objects are not detected as DLL/EXE. ftguess should be used to detect executable files, in addition to checking the file extension.
RTF files mentioned in this article contain OLE objects with an equation editor exploit: https://x.com/_CPResearch_/status/1793642302839431502 / https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
Docx (with remote template pointing to RTF)
RTF (with equation editor exploit and OLE package with DLL)
Several issues to be addressed:
b'Equation.2'
instead ofb'Equation.2\x00\x124Vx\x90\x124VxvT2'
(split when a null byte is found)rtfobj output: