oletools
oletools copied to clipboard
RTFObj doesn't work on RTF's containing OLE2LNK objects
Affected tool: rtfobj
Describe the bug When using rtfobj against an RTF that contains an OLE2LNK object the current logic tries to run a string-based regex against a bytearray. This can be fixed by modifying the following line from:
found_list = re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data)
to:
found_list = re.findall(b'[a-fA-F0-9\x0D\x0A]{128,}',data)
File/Malware sample to reproduce the bug https://hybrid-analysis.com/sample/86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d
How To Reproduce the bug rtfobj.exe foo.mlwr
Expected behavior It should print a summary of the objects in the file
Console output / Screenshots
λ rtfobj.exe 86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d.MLWR
rtfobj 0.60 on Python 3.6.8 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
File: '86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d.MLWR' - size: 5758 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
Traceback (most recent call last):
File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\runpy.py", line 85, in _run_code
exec(code, run_globals)
File "C:\Users\malware\AppData\Local\Programs\Python\Python36\Scripts\rtfobj.exe\__main__.py", line 7, in <module>
File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\rtfobj.py", line 1081, in main
save_object=options.save_object)
File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\rtfobj.py", line 927, in process_file
found_list = re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data)
File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\re.py", line 222, in findall
return _compile(pattern, flags).findall(string)
TypeError: cannot use a string pattern on a bytes-like object
Version information:
- OS: Windows 10
- OS version: x64
- Python version: 3.6.8
- oletools version: 0.60
Good catch, thanks!
I believe this is a duplicate issue of #538, for which there is a waiting pull request at #566. I'll try looking into updating that PR for the current version of rtfobj.