oletools icon indicating copy to clipboard operation
oletools copied to clipboard

Published 20 hours ago verified publisher icon decalage2

RTFObj doesn't work on RTF's containing OLE2LNK objects

Open tlansec opened this issue 2 years ago • 2 comments

Affected tool: rtfobj

Describe the bug When using rtfobj against an RTF that contains an OLE2LNK object the current logic tries to run a string-based regex against a bytearray. This can be fixed by modifying the following line from:

found_list = re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data)

to:

found_list = re.findall(b'[a-fA-F0-9\x0D\x0A]{128,}',data)

File/Malware sample to reproduce the bug https://hybrid-analysis.com/sample/86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d

How To Reproduce the bug rtfobj.exe foo.mlwr

Expected behavior It should print a summary of the objects in the file

Console output / Screenshots

λ rtfobj.exe 86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d.MLWR
rtfobj 0.60 on Python 3.6.8 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '86a135e72278c93cb33c4752c4b7485399aeca72f51d1b03bede62136daf618d.MLWR' - size: 5758 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\Scripts\rtfobj.exe\__main__.py", line 7, in <module>
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\rtfobj.py", line 1081, in main
    save_object=options.save_object)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\site-packages\oletools\rtfobj.py", line 927, in process_file
    found_list =  re.findall(r'[a-fA-F0-9\x0D\x0A]{128,}',data)
  File "C:\Users\malware\AppData\Local\Programs\Python\Python36\lib\re.py", line 222, in findall
    return _compile(pattern, flags).findall(string)
TypeError: cannot use a string pattern on a bytes-like object

Version information:

  • OS: Windows 10
  • OS version: x64
  • Python version: 3.6.8
  • oletools version: 0.60

tlansec avatar Sep 09 '21 10:09 tlansec

Good catch, thanks!

decalage2 avatar Sep 10 '21 09:09 decalage2

I believe this is a duplicate issue of #538, for which there is a waiting pull request at #566. I'll try looking into updating that PR for the current version of rtfobj.

BrianStadnicki avatar Dec 03 '21 18:12 BrianStadnicki