oletools
oletools copied to clipboard
oleobj/oleid: distinguish legitimate hyperlinks from suspicious ones
for now, oleobj reports all hyperlinks the same way, and oleid reports them as high risk, even if those are legitimate hyperlinks in Excel or Word documents. It would at least be possible to flag some kinds of URLs as suspicious, for example:
- URLs starting with `file:///\" are used to download malware from Excel files: https://twitter.com/Unit42_Intel/status/1770461681145061378 - but this might look similar to URLs pointing to an internal SMB/CIFS server
- URLs containing "!" such as the ones used to exploit CVE-2021-40444
- URLs not starting with "http"