oletools

oletools copied to clipboard

ms-msdt links are currently being exploitet. Should not be too hard to find them, I am investigating the possibility to extend msodde to do that (generalizing it to a more general link-finder to include other link types that surely will pop up in the future...)

From what I've seen in Follina samples, those links are used from a remote OLE object, so we can find the URL using oleobj (as an external link) or rtfobj (as an OLE2Link object). But I'm not sure the ms-msdt URL appears in the Word/RTF documents themselves, I think it's in the HTML file loaded from the Word/RTF. In Word/RTF documents, there is only a normal-looking URL with an exclamation mark. But I need to dig deeper.

You are right. The ms-msdt links are always in content downloaded through external relationships. And yes, there is a function find_external_relationships in oleobj. I would not have expected it there, therefore did not look there. Thanks a lot for the hint.

Then, instead of extending msodde to a general "link-finder", I will simply make oleobj compatbile with our framework (meaning: create json output) and include that in our pipeline

So, in essence, we will not even look for ms-msdt links, but check whether the document we analyze downloads anything from the web. I prefer that approach