rtfobj parsing issue

Issue reported on Twitter: https://twitter.com/Ledtech3/status/1136788812699492352

Sample: https://app.any.run/tasks/e2284cea-e4be-4eb7-8865-19f1a57dfe67/

rtfobj output:
```
rtfobj 0.54 on Python 3.7.2 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'doc.rtf' - size: 7071216 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
0  |0063C11Eh |format_id: 2 (Embedded)
   |          |class name: b'Package'
   |          |data size: 87752
   |          |OLE Package object:
   |          |Filename: '8.t'
   |          |Source path: 'C:\\Aaa\\tmp\\8.t'
   |          |Temp path = 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\8.t'
   |          |MD5 = 'd78736cf6d7e2a0a8af2be6a1677ec15'
---+----------+---------------------------------------------------------------
1  |00666F63h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
2  |00666F34h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
3  |0066CD1Ah |format_id: 2 (Embedded)
   |          |class name: b'\x00\x00\x00\x00\x00\r\x0c\xf1\x1e\n\x1b\x11\xae\
   |          |x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
   |          |data size: 166960
   |          |MD5 = 'a1a114cd8fd74f27742a6c4f2c04c37f'
   |          |CLSID: 4F5FC7B4-4456-B804-AF46-79732AC06070
   |          |unknown CLSID (please report at
   |          |https://github.com/decalage2/oletools/issues)
---+----------+---------------------------------------------------------------
Saving file embedded in OLE object #0:
  format_id  = 2
  class name = b'\x00\x00\x00\x00\x00\r\x0c\xf1\x1e\n\x1b\x11\xae\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
  data size  = 166960
  saving to file doc.rtf_object_0066CD1A.bin
  md5 a1a114cd8fd74f27742a6c4f2c04c37f
```

The extracted object has an OLE magic (D0CF...), but its structure is corrupt:
```
oledir doc.rtf_object_0066CD1A.bin
oledir 0.54 - http://decalage.info/python/oletools
OLE directory entries in file doc.rtf_object_0066CD1A.bin:
----+------+-------+----------------------+-----+-----+-----+--------+------
id  |Status|Type   |Name                  |Left |Right|Child|1st Sect|Size
----+------+-------+----------------------+-----+-----+-----+--------+------
0   |<Used>|Unknown|ؠ۰߰ɀЀِߠ݀ܠ\x90\x00\x00\|-    |40433|15099|4000030 |20480
    |      |       |x00\x00\x00\x00\x00\x0|     |09055|4992 |        |
    |      |       |0\x00\x00\x00\x00\x00\|     |     |     |        |
    |      |       |x00\x00\x00\x00\x00\x0|     |     |     |        |
    |      |       |0\x00\x00             |     |     |     |        |
1   |ORPHAN|Unknown|А۰ۀP\x00\x00\x00\x00\x|40433|25165|40433|1000000 |64
    |      |       |00\x00\x00\x00\x00\x00|09055|8272 |09055|        |
    |      |       |\x00\x00\x00\x00\x00\x|     |     |     |        |
    |      |       |00\x00\x00\x00\x00\x00|     |     |     |        |
    |      |       |\x00\x00\x00\x00\x00\x|     |     |     |        |
    |      |       |00                    |     |     |     |        |
2   |ORPHAN|Unknown|\u0600ؐذڰٰؐP\x00\x00\x|-    |-    |40433|4000060 |212607
    |      |       |00\x00\x00\x00\x00\x00|     |     |09055|        |1
    |      |       |\x00\x00\x00\x00\x00\x|     |     |     |        |
    |      |       |00\x00\x00\x00\x00\x00|     |     |     |        |
    |      |       |\x00\x00\x00\x00\x00  |     |     |     |        |
3   |ORPHAN|Unknown|Аذ۰ߐЀ۰ؠ\xa0\x00\x00\x0|16   |25165|40433|7000010 |32
    |      |       |0\x00\x00\x00\x00     |     |8304 |09055|        |
4   |ORPHAN|Unknown|Р۰ۀՐ܀ؠݐ̰̀̀\x00\x00\x00|40433|25165|40433|3000030 |16416
    |      |       |\x00\x00\x00\x00\x00\x|09055|8320 |09055|        |
    |      |       |00\x00\x00\x00\x00\x00|     |     |     |        |
    |      |       |\x00\x00\x00\x00\x00\x|     |     |     |        |
    |      |       |00\x00                |     |     |     |        |
5   |ORPHAN|Unknown|ؠڐذҀِـސр٠ۀؐݰ0\x00\x00\|-    |-    |40433|40      |192
    |      |       |x00\x00\x00\x00\x00\x0|     |     |09055|        |
    |      |       |0\x00\x00\x00\x00\x00\|     |     |     |        |
    |      |       |x00\x00\x00\x00\x00   |     |     |     |        |
6   |unused|Empty  |                      |-    |-    |40433|0       |0
    |      |       |                      |     |     |09055|        |
7   |unused|Empty  |                      |-    |-    |40433|0       |0
    |      |       |                      |     |     |09055|        |
----+----------------------------+------+--------------------------------------
id  |Name                        |Size  |CLSID
----+----------------------------+------+--------------------------------------
0   |ؠ۰߰ɀЀِߠ݀ܠ                  |-     |4F5FC7B4-4456-B804-AF46-79732AC06070
    |                            |      |
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rtfobj parsing issue #454

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

rtfobj parsing issue #454

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions