oletools
oletools copied to clipboard
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
**Affected tool:** Olevba **Describe the bug** When I run Olevba on the "File.pptx" file (inside File.zip, password "infected"), the result output contains the analysis of the macros of the files...
See this article: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html Sample: https://bazaar.abuse.ch/sample/f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4/ Example: ``` ``` + also update oleid to report it.
This AgentTesla sample is not parsed properly by rtfobj: https://twitter.com/ForensicITGuy/status/1490528788308021262 https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/ Sample: https://bazaar.abuse.ch/sample/213d36f7d37abac0df9187e6ce3ed8e26bc61bd3e02a725b079be90d7cfd5117/
The current oletools description in the readme and documentation only mentions OLE files, but oletools are also able to analyse other MS Office formats and RTF.
See https://twitter.com/VessOnSecurity/status/1489235792832704519 PoC from @bontchev: http://bontchev.my.contact.bg/poc.rtf The remote template URL is in a `\template` control word: ![image](https://user-images.githubusercontent.com/5989656/152428203-fbd45e4f-5827-45cf-b6f7-767b7b19d6d6.png)
See https://github.com/file/file/blob/master/magic/Magdir/ole2compounddocs
See https://twitter.com/NirYeho/status/1198938529725865984 ![image](https://user-images.githubusercontent.com/5989656/69705410-c9639500-10f5-11ea-8fdd-6cceefa4a5e5.png) ![image](https://user-images.githubusercontent.com/5989656/69705429-d7191a80-10f5-11ea-9d0a-61e91a115512.png)
See this sample: https://labs.inquest.net/dfi/sha256/9404cbeacd30e170fe03bfdeb54663cb1439ccf73309e172e11349aa64fdbd00 Potential keywords (can be obfuscated): - amsi - AmsiUacInitialize - "4C8BDC49895B08" - "4883EC384533DB" - "8B450C85" & "C0745A85DB" - "8B550C85D" & "27434837D"