Skip to content

rtfobj - Failure to detect embedded OLE #185

New issue
New issue
Closed
Closed
rtfobj - Failure to detect embedded OLE#185
Assignees
decalage2
Labels
🐛 bugrtfobj
Milestone
oletools 0.52
@malware-kitten

Description

@malware-kitten
malware-kitten
opened on Jul 24, 2017

rtfobj is failing to detect an ole2link object within this rtf document, due to obfuscation.

Document information

e23db975e34145d2c58467b7fd7ca70e  85_170719165027_0001.DOC

Running version 0.51.1dev2

rtfobj -s all 85_170719165027_0001.DOC 
rtfobj 0.51.1dev2 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '85_170719165027_0001.DOC' - size: 74281 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package                    
---+----------+-------------------------------+-------------------------------

The header of the OLE has been obfuscated as well

00000140  30 09 30 30 64 30 63 66  31 31 09 65 30 20 61 20  |0.00d0cf11.e0 a |
00000150  31 5c 62 69 6e 33 34 20  b1 1a e1 00 00 00 00 00  |1\bin34 ........|

The relevant objects within the RTF

00000fd0  f0 00 00 00 00 00 00 00  03 00 4f 00 62 00 6a 00  |..........O.b.j.|
00000fe0  49 00 6e 00 66 00 6f 00  00 00 00 00 00 00 00 00  |I.n.f.o.........|

00001130  00 00 03 00 4c 00 69 00  6e 00 6b 00 49 00 6e 00  |....L.i.n.k.I.n.|
00001140  66 00 6f 00 00 00 00 00  00 00 00 00 00 00 00 00  |f.o.............|

000019b0  00 74 00 70 00 3a 00 2f  00 2f 00 6b 00 6f 00 6d  |.t.p.:././.k.o.m|
000019c0  00 69 00 79 00 36 20 09  20 09 20 20 09 09 09 09  |.i.y.6 . .  ....|
000019d0  20 20 20 09 20 09 09 20  09 20 09 09 20 20 20 20  |   . .. . ..    |
000019e0  09 09 09 20 09 20 20 09  20 09 20 20 09 09 09 09  |... .  . .  ....|
000019f0  20 20 20 09 20 09 09 20  09 20 09 09 20 20 20 66  |   . .. . ..   f|
00001a00  5c 62 69 6e 34 32 20 00  2e 00 72 00 75 00 2f 00  |\bin42 ...r.u./.|
00001a10  66 00 69 00 6c 00 65 00  76 00 6c 00 61 00 2e 00  |f.i.l.e.v.l.a...|
00001a20  68 00 74 00 61 00 00 00  00 00 00 00 00 00 00 00  |h.t.a...........|

A copy of the sample can be found here -> https://drive.google.com/open?id=0B6sLf2D8GZIQeXR2Q3o0WW5CZkE
password: infected

Metadata

Metadata

Assignees

Labels

🐛 bugrtfobj

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions