rtfobj/oleid: Equation Editor objects not detected

RTF files mentioned in this article contain OLE objects with an equation editor exploit: https://x.com/_CPResearch_/status/1793642302839431502 / https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/

Docx (with remote template pointing to RTF)

57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b
2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816
0373ef0a7874bd8506dc64dd82ef2c6d7661a3250c8a9bb8cb8cb75a7330c1d2
bff674439ea8333b227f6d05caa05b2e3fe592825abd63272d4f1e4c2dfa88ea
362b9f497fce52a3f14ad9de2a027d974cc810473c929fed7c37526d2f13f83a

RTF (with equation editor exploit and OLE package with DLL)

180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69
c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151
ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38
9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31
708722bafe35a9fdc94ac33b1970776c464f1bb4e9c2ea1c1dba3a9e1ba03ab3
9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31

Several issues to be addressed:

Equation editor exploit are not detected as such. The keyword "equation" in the class name should be a red flag.
the OLE class name is not properly reported, i.e. it should be b'Equation.2' instead of b'Equation.2\x00\x124Vx\x90\x124VxvT2' (split when a null byte is found)
OLE package objects are not detected as DLL/EXE. ftguess should be used to detect executable files, in addition to checking the file extension.
some objects are not properly parsed.
oleid does not report RTF issues

rtfobj output:

rtfobj 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69.rtf' - size: 283670 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |00002B42h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 125952                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
1  |000408A3h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 8485                                                
   |          |MD5 = 'a0027a66a9081e01907b1fd91ac8613f'                       
---+----------+---------------------------------------------------------------
2  |00040889h |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------
===============================================================================
File: '9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31.rtf' - size: 707473 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |0000A3F3h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 325120                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
1  |000A9554h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 5775                                                
   |          |MD5 = '965783e01d6b29e74528f5c3717e553d'                       
---+----------+---------------------------------------------------------------
2  |000A953Ah |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------
===============================================================================
File: 'c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151.rtf' - size: 537175 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |00005983h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 246784                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
1  |0007E6E4h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 8485                                                
   |          |MD5 = '993a0f4852cdca46e9e0ed693c7b3e9a'                       
---+----------+---------------------------------------------------------------
2  |0007E6CAh |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------
===============================================================================
File: 'ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38.rtf' - size: 1654404 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |0000CD46h |format_id: 2 (Embedded)                                        
   |          |class name: b'Word.Document.12'                                
   |          |data size: 85504                                               
   |          |MD5 = 'ffd84fa2448bb30bb8324d3f2a7c4fdd'                       
   |          |CLSID: F4754C9B-64F5-4B40-8AF4-679732AC0607                    
   |          |Microsoft Word Document (Word.Document.12)                     
---+----------+---------------------------------------------------------------
1  |000F0EE6h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 326144                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
2  |00190847h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 5775                                                
   |          |MD5 = 'df51041f0410fcb95955c0e9788e841f'                       
---+----------+---------------------------------------------------------------
3  |0019082Dh |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------

decalage2 / oletools

rtfobj/oleid: Equation Editor objects not detected #858