oletools
oletools copied to clipboard
Published
20 hours ago •
decalage2
decalage2
ftguess: file type not detected due to lack of root storage CLSID
An OLE file without root storage CLSID is not properly identified by ftguess, for example this sample: 167949ba90da85c8b56878d95be19c1a - https://app.any.run/tasks/b42b3dff-1ff9-49ac-96f6-df8e4d9927bd/#
ftguess.py khaosat_trieuchung.doc
ftguess 0.60.2dev3 on Python 3.9.0 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
File : khaosat_trieuchung.doc
File Type : Generic OLE/CFB file
Description: Generic OLE file / Compound File (unknown format)
Application: Unknown Application
Container : OLE
Root CLSID : - None
Content-type(s) :
PUID : None
It would be possible to enhance format detection by checking the presence of well-known stream names such as WordDocument for Word, and also the application name in document properties:
oledir khaosat_trieuchung.doc
oledir 0.54 - http://decalage.info/python/oletools
OLE directory entries in file khaosat_trieuchung.doc:
----+------+-------+----------------------+-----+-----+-----+--------+------
id |Status|Type |Name |Left |Right|Child|1st Sect|Size
----+------+-------+----------------------+-----+-----+-----+--------+------
0 |<Used>|Root |Root Entry |- |- |3 |34 |4928
1 |<Used>|Stream |1Table |- |5 |- |D |9645
2 |<Used>|Stream |WordDocument |1 |- |- |0 |6190
3 |<Used>|Stream |\x05SummaryInformation|2 |4 |- |20 |4096
4 |<Used>|Stream |\x05DocumentSummaryInf|- |- |- |28 |4096
| | |ormation | | | | |
5 |<Used>|Storage|Macros |- |- |12 |0 |0
6 |<Used>|Storage|VBA |- |- |7 |0 |0
7 |<Used>|Stream |ThisDocument |8 |9 |- |0 |954
8 |<Used>|Stream |NewMacros |10 |- |- |3D |10589
9 |<Used>|Stream |_VBA_PROJECT |- |- |- |F |2710
10 |<Used>|Stream |dir |- |- |- |3A |569
11 |<Used>|Stream |PROJECTwm |- |- |- |43 |71
12 |<Used>|Stream |PROJECT |6 |11 |- |45 |487
13 |ORPHAN|Stream |\x01CompObj |- |- |- |4D |114
14 |unused|Empty | |- |- |- |0 |0
15 |unused|Empty | |- |- |- |0 |0
----+----------------------------+------+--------------------------------------
id |Name |Size |CLSID
----+----------------------------+------+--------------------------------------
0 |Root Entry |- |
4 |\x05DocumentSummaryInformati|4096 |
|on | |
3 |\x05SummaryInformation |4096 |
1 |1Table |9645 |
5 |Macros |- |
12 | PROJECT |487 |
11 | PROJECTwm |71 |
6 | VBA |- |
8 | NewMacros |10589 |
7 | ThisDocument |954 |
9 | _VBA_PROJECT |2710 |
10 | dir |569 |
2 |WordDocument |6190 |
olemeta khaosat_trieuchung.doc
olemeta 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: khaosat_trieuchung.doc
Properties from the SummaryInformation stream:
+---------------------+------------------------------+
|Property |Value |
+---------------------+------------------------------+
|codepage |1252 |
|title | |
|subject | |
|author |HANH-PC |
|keywords | |
|comments | |
|template |Normal |
|last_saved_by |hanhnm |
|revision_number |5 |
|total_edit_time |180 |
|create_time |2021-09-18 12:02:00 |
|last_saved_time |2021-09-28 17:09:00 |
|num_pages |2 |
|num_words |155 |
|num_chars |888 |
|creating_application |Microsoft Office Word |
|security |0 |
+---------------------+------------------------------+
Properties from the DocumentSummaryInformation stream:
+---------------------+------------------------------+
|Property |Value |
+---------------------+------------------------------+
|codepage_doc |1252 |
|lines |7 |
|paragraphs |2 |
|scale_crop |False |
|company | |
|links_dirty |False |
|chars_with_spaces |1041 |
|shared_doc |False |
|hlinks_changed |False |
|version |983040 |
+---------------------+------------------------------+
