Skip to content

rtfobj - parsing issues + not reporting unicode filename for package #370

Open
Open
rtfobj - parsing issues + not reporting unicode filename for package#370
Assignees
decalage2
Labels
🐛 bugrtfobj
Milestone
oletools 0.55
@decalage2

Description

@decalage2
decalage2
opened on Dec 4, 2018

See this sample:

It looks like IRIS-H finds a unicode filename/path that rtfobj does not report:
https://iris-h.services/#/pages/report/7663ae93af3c9058649e91d8704309a1ce86c5d3

image

And some OLE objects are not well formed:

rtfobj 0.54dev1 on Python 2.7.14 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '8326bcb300389a2d654e6e921e259e553f33f8949984c2da55ccb6e9ed3f6480' - size: 3210111 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
0  |0000FF12h |format_id: 2 (Embedded)
   |          |class name: 'Excel.Chart.8'
   |          |data size: 390656
   |          |CLSID: 00020821-0000-0000-C000-000000000046
   |          |Microsoft Excel.Chart.8
---+----------+---------------------------------------------------------------
1  |00132A95h |format_id: 2 (Embedded)
   |          |class name: 'Excel.Chart.8'
   |          |data size: 390144
   |          |CLSID: 00020821-0000-0000-C000-000000000046
   |          |Microsoft Excel.Chart.8
---+----------+---------------------------------------------------------------
2  |002A921Bh |format_id: 2 (Embedded)
   |          |class name: 'Package'
   |          |data size: 359075
   |          |OLE Package object:
   |          |Filename: u'1111111111'
   |          |Source path: u'111111111111111111111111111111111111111111111111
   |          |1111111111111111111111111111111111111111'
   |          |Temp path = u'1111111111111111111111111111111111111111111111'
---+----------+---------------------------------------------------------------
3  |00301413h |format_id: 2 (Embedded)
   |          |class name: 'Package'
   |          |data size: 4862
   |          |OLE Package object:
   |          |Filename: u'crossaaa.dll'
   |          |Source path: u'C:\\crossaaa.dll'
   |          |Temp path =
   |          |u'C:\\Users\\Reverse\\AppData\\Local\\Temp\\crossaaa.dll'
   |          |EXECUTABLE FILE
---+----------+---------------------------------------------------------------
4  |00303F9Eh |format_id: 2 (Embedded)
   |          |class name: 'Package'
   |          |data size: 5886
   |          |OLE Package object:
   |          |Filename: u'croszaaa.dll'
   |          |Source path: u'C:\\croszaaa.dll'
   |          |Temp path =
   |          |u'C:\\Users\\Reverse\\AppData\\Local\\Temp\\croszaaa.dll'
   |          |EXECUTABLE FILE
---+----------+---------------------------------------------------------------
5  |00307342h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
6  |00307336h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
7  |0030B792h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
8  |0030B786h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------

Metadata

Metadata

Assignees

Labels

🐛 bugrtfobj

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions