Skip to content

rtfobj: parsing issue #472

New issue
New issue
Open
Open
rtfobj: parsing issue#472
Assignees
decalage2
Labels
🐛 bugrtfobj
Milestone
Next Release
@decalage2

Description

@decalage2
decalage2
opened on Jul 24, 2019

This sample contains an equation editor OLE object exploiting CVE-2017-11882, but rtfobj does not parse the OLE object correctly:
https://app.any.run/tasks/efd1ca98-11d2-4106-ad4b-6d17c6704398/

More info: https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272

Output:

rtfobj 0.55.dev3 on Python 2.7.16 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '152f95a5bdf549c5ca789d0dd99d635ee69cca6fe464ced5b39d0316707a4914' - size: 447210 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object
---+----------+---------------------------------------------------------------
0  |0000A172h |format_id: 2 (Embedded)
   |          |class name: 'Package'
   |          |data size: 159942
   |          |OLE Package object:
   |          |Filename: u'8.t'
   |          |Source path: u'F:\\\xca\xb5\xd1\xe9\xca\xd2\xcf\xee\xc4\xbf\\\x
   |          |b9\xe3\xce\xf7\\8.t'
   |          |Temp path = u'C:\\Users\\john\\AppData\\Local\\Temp\\8.t'
   |          |MD5 = '0d1e173be554f5ab83b0c6e7a1930e09'
---+----------+---------------------------------------------------------------
1  |00058D84h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------
2  |00058D72h |Not a well-formed OLE object
---+----------+---------------------------------------------------------------

Metadata

Metadata

Assignees

Labels

🐛 bugrtfobj

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions