Philippe Lagadec
Philippe Lagadec
When mlget queries InQuest (https://labs.inquest.net/api), it gets stuck for a very long time, at least 30s or 1min. All the other queries are very fast. For example this query: `mlget...
Hi, I see that olefy is calling olevba as an external script, and capturing its output + exit code. I think this is error prone and may lead to issues...
List from http://justsolve.archiveteam.org/wiki/Microsoft_Compound_File : ``` {00000000-0000-0000-0000-000000000000} Unspecified (could be Thumbs.db, SUO, PageMaker, Microsoft Access wizard template, Easy CD Creator 2 ...) {00000257-0000-0000-0000-000000000000} Family Tree Maker FTW {00020810-0000-0000-c000-000000000046} Excel 5-95 XLS...
RTF files mentioned in this article contain OLE objects with an equation editor exploit: https://x.com/_CPResearch_/status/1793642302839431502 / https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/ Docx (with remote template pointing to RTF) - 57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b - 2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816 - 0373ef0a7874bd8506dc64dd82ef2c6d7661a3250c8a9bb8cb8cb75a7330c1d2...
See https://medium.com/@john.woodman11/vba-macro-remote-template-injection-with-unlinking-self-deletion-49aef5eec0cd Potential keywords: - `.VBComponents.Remove` - `.CodeModule.DeleteLines` - `.AttachedTemplate` (but this one will trigger false positives, it is just an indication that the macro manipulates the attached template)
This PR was automatically created by Snyk using the credentials of a real user. ### Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this...
That might be useful to correlate olevba output with other tools. MBC: https://github.com/MBCProject/mbc-markdown
Check this thread for suggestions: https://x.com/rucam365/status/1826179836995350812
This is unusual and should be reported as suspicious. See PR #873
add detection for HWP document format, based on OLE. See https://github.com/volexity/hwp-extract, especially the `_is_valid` method: https://github.com/volexity/hwp-extract/blob/19361beb4d553cb33a1342e885e86b2d66324916/src/hwp_extract/hwp.py#L132