oletools
oletools copied to clipboard
decalage2
oleobj - bug in filename extraction
When running oleobj against a sample that has an Ole10Native object, the following will occur
oleobj 8805b8874bf3f72510474643d7fd5a4fda19423ce829413831f40bdaf3634785_object_0000003C.bin
oleobj 0.52 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
-------------------------------------------------------------------------------
File: '8805b8874bf3f72510474643d7fd5a4fda19423ce829413831f40bdaf3634785_object_0000003C.bin'
extract file embedded in OLE object from stream '\x01Ole10Native':
Parsing OLE Package
Filename = "Tæ k
B"Bºÿ÷нöjõ½ô°j}Pÿ×ÕÈÄ!-BÈÄ!ÿà
Source path = "ø9|S¥¥Ù.áß»<H;¨hŦ-¾
I!3ÞÉè;
Ñe¾Y®`«¥¸@DøçWÚ]/ñÈþO{ÉCÆ@G®Ùå0þw¥È[Fø«T
éá"
Temp path = "?Jã ®"
saving to file 8805b8874bf3f72510474643d7fd5a4fda19423ce829413831f40bdaf3634785_object_0000003C.bin__T_____u__B____________j_____j___P_______-B_______k___B
WARNING Wanted to read 4096, got 1840
If no printable characters are found within the filename should the name/path of the file set to some default value rather than attempting to read the characters out of the stream?
A sample to reproduce this activity -> https://drive.google.com/open?id=1B1D1g2CssY5dbBZ7ci3DqQ0-lvaef_Lk
password: oletools
The filename and path probably make some sense if decoded with the proper encoding. However, I do not see how to find out that encoding, so I created the function guess_encoding which tries the most "common" encodings (at least for the samples I have seen).
Anybody know how to find out what encoding to use here? What language had the office version creating this sample?
If it helps I'm pasting a link to download the RTF that this sample was extracted from.
https://drive.google.com/open?id=1CREphHyHmHh1jftSwlrf7mHcb2pLKf1z
password: oletools
This appears to be a programmatically created sample so it would not surprise me if language data was not included.
That rtf looks like a minimal wrapper around the data it embeds, so I am afraid that does not help me much. Thanks anyway.
On a side note: even the great file(2) utility cannot properly parse the sample ("Composite Document File V2 Document, Cannot read section info"). Since the sample was programmatically produced, maybe my initial assumption was wrong and the file name makes no sense in any encoding. Could have been filled with random junk just to make our life harder?
I have found this same issue in a xlsx file...
oleobj 0.56.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
-------------------------------------------------------------------------------
File: '58add35c8a26f31e0f8871e99f8cfc3c1df560ff55e902d03a7251cb0085922f.xlsx'
INFO file could be an OOXML file, looking for relationships with external links
DEBUG working on file by name
INFO is zip file: 58add35c8a26f31e0f8871e99f8cfc3c1df560ff55e902d03a7251cb0085922f.xlsx
DEBUG unzip skip: xl/printerSettings/printerSettings1.bin
DEBUG unzip skip: xl/drawings/vmlDrawing1.vml
INFO unzipping ole: xl/embeddings/Nek.rrP3
DEBUG Checking stream '\x01olE10NAtiVE'
extract file embedded in OLE object from stream '\x01olE10NAtiVE':
Parsing OLE Package
DEBUG OLE native data size = 0673F9B2 (108263858 bytes)
DEBUG decoded using latin1: "+�Kõë¾ÃBºÿ÷Ö��
¾¹÷Ï��æöofg�>Qÿ×èãc"ê�ÿàöBãlõ�æB"
DEBUG decoded using latin1: "bJ�ÏE�Dc·▒ «p�ëüKÖ�=`
Y'Ä)
�T±ò;_ ¯oIUCÇ'w�\ç(v¥^�%³��¬ Ë?ð~ £`�È<¢�MË9eQ»Oi1É>�6vcÃÔÄ�(P×��¤J0=«§ÖhÝEI5Ùª'nô fÿºÖð©LAû¥£ê»dW�ý¢òã_wyñ�ÂÓá:¼!�ø|Á^Ý \ZmH@!ÿ�����é"
n�ºrívDqÙ5#Æ�\PªHúUP¸à2¬Î-éÏ#àõ*qún£x�C¦¦LE"(ó"ú1ÀðüK�Â'dL'�Rks�ÄÈgXʳ¯=Ë
bóÔ�õTt�ï���$. _g
c¢=Bã�uhÈ��ðåd]n�"0¤�}�÷Þ�
Filename = "+�Kõë¾ÃBºÿ÷Ö��
¾¹÷Ï��æöofg�>Qÿ×èãc"ê�ÿàöBãlõ�æB"
Source path = "bJ�ÏE�Dc·▒ «p�ëüKÖ�=`
Y'Ä)
�T±ò;_ ¯oIUCÇ'w�\ç(v¥^�%³��¬ Ë?ð~ £`�È<¢�MË9eQ»Oi1É>�6vcÃÔÄ�(P×��¤J0=«§ÖhÝEI5Ùª'nô fÿºÖð©LAû¥£ê»dW�ý¢òã_wyñ�ÂÓá:¼!�ø|Á^Ý \ZmH@!ÿ�����é"
n�ºrívDqÙ5#Æ�\PªHúUP¸à2¬Î-éÏ#àõ*qún£x�C¦¦LE"�ÄÈgXʳ¯=Ë
bóÔ�õTt�ï���$. _g
c¢=Bã�uhÈ��ðåd]n�"0¤�}�÷Þ�
saving to file 58add35c8a26f31e0f8871e99f8cfc3c1df560ff55e902d03a7251cb0085922f.xlsx___K_______B________________ofg__Q______c________B_l___B
WARNING Wanted to read 4096, got 2088
DEBUG Checking stream 'ayF17t1E0uF0ZmCpTPgWA8GkrEhWUe'
------------------------------------------------------------------------------------------------------
If I extract this embedded file manually, oledir:
oledir 0.54 - http://decalage.info/python/oletools
OLE directory entries in file Nek.rrP3:
----+------+-------+----------------------+-----+-----+-----+--------+------
id |Status|Type |Name |Left |Right|Child|1st Sect|Size
----+------+-------+----------------------+-----+-----+-----+--------+------
0 |<Used>|Root |Root Entry |- |- |1 |FFFFFFFE|0
1 |<Used>|Stream |ayF17t1E0uF0ZmCpTPgWA8|2 |- |- |FFFFFFFE|0
| | |GkrEhWUe | | | | |
2 |<Used>|Stream |\x01olE10NAtiVE |- |- |- |11 |887284
3 |unused|Empty | |- |- |- |0 |0
----+----------------------------+------+--------------------------------------
id |Name |Size |CLSID
----+----------------------------+------+--------------------------------------
0 |Root Entry |- |0002CE02-0000-0000-C000-000000000046
| | |Microsoft Equation 3.0 (Known Related
| | |to CVE-2017-11882 or CVE-2018-0802)
2 |\x01olE10NAtiVE |887284|
1 |ayF17t1E0uF0ZmCpTPgWA8GkrEhW|0 |
|Ue | |
Sample in https://app.any.run/tasks/6111471a-ff32-45c1-954a-180b56a53beb/
Thanks!
OK, I'm re-posting the original samples from above here, just in case they are removed from Google Drive: 8805b8874bf3f72510474643d7fd5a4fda19423ce829413831f40bdaf3634785.rtf.zip (password oletools)
