rtfobj/oleid: Equation Editor objects not detected #858

decalage2 · 2024-05-23T15:45:48Z

RTF files mentioned in this article contain OLE objects with an equation editor exploit: https://x.com/_CPResearch_/status/1793642302839431502 / https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/

Docx (with remote template pointing to RTF)

57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b

2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816

0373ef0a7874bd8506dc64dd82ef2c6d7661a3250c8a9bb8cb8cb75a7330c1d2

bff674439ea8333b227f6d05caa05b2e3fe592825abd63272d4f1e4c2dfa88ea

362b9f497fce52a3f14ad9de2a027d974cc810473c929fed7c37526d2f13f83a

RTF (with equation editor exploit and OLE package with DLL)

180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69

c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151

ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38

9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31

708722bafe35a9fdc94ac33b1970776c464f1bb4e9c2ea1c1dba3a9e1ba03ab3

9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31

Several issues to be addressed:

Equation editor exploit are not detected as such. The keyword "equation" in the class name should be a red flag.
the OLE class name is not properly reported, i.e. it should be b'Equation.2' instead of b'Equation.2\x00\x124Vx\x90\x124VxvT2' (split when a null byte is found)
OLE package objects are not detected as DLL/EXE. ftguess should be used to detect executable files, in addition to checking the file extension.
some objects are not properly parsed.
oleid does not report RTF issues

rtfobj output:

rtfobj 0.60.1 on Python 3.11.6 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: '180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69.rtf' - size: 283670 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |00002B42h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 125952                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
1  |000408A3h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 8485                                                
   |          |MD5 = 'a0027a66a9081e01907b1fd91ac8613f'                       
---+----------+---------------------------------------------------------------
2  |00040889h |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------
===============================================================================
File: '9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31.rtf' - size: 707473 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |0000A3F3h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 325120                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
1  |000A9554h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 5775                                                
   |          |MD5 = '965783e01d6b29e74528f5c3717e553d'                       
---+----------+---------------------------------------------------------------
2  |000A953Ah |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------
===============================================================================
File: 'c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151.rtf' - size: 537175 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |00005983h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 246784                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
1  |0007E6E4h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 8485                                                
   |          |MD5 = '993a0f4852cdca46e9e0ed693c7b3e9a'                       
---+----------+---------------------------------------------------------------
2  |0007E6CAh |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------
===============================================================================
File: 'ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38.rtf' - size: 1654404 bytes
---+----------+---------------------------------------------------------------
id |index     |OLE Object                                                     
---+----------+---------------------------------------------------------------
0  |0000CD46h |format_id: 2 (Embedded)                                        
   |          |class name: b'Word.Document.12'                                
   |          |data size: 85504                                               
   |          |MD5 = 'ffd84fa2448bb30bb8324d3f2a7c4fdd'                       
   |          |CLSID: F4754C9B-64F5-4B40-8AF4-679732AC0607                    
   |          |Microsoft Word Document (Word.Document.12)                     
---+----------+---------------------------------------------------------------
1  |000F0EE6h |format_id: 2 (Embedded)                                        
   |          |class name: b'PACKage'                                         
   |          |data size: 326144                                              
   |          |OLE Package object:                                            
   |          |Filename: '\x11à¡±\x1aá'                                       
   |          |Source path: ''                                                
   |          |Temp path = ''                                                 
   |          |MD5 = 'd41d8cd98f00b204e9800998ecf8427e'                       
   |          |File Type: Unknown file type                                   
---+----------+---------------------------------------------------------------
2  |00190847h |format_id: 2 (Embedded)                                        
   |          |class name: b'Equation.2\x00\x124Vx\x90\x124VxvT2'             
   |          |data size: 5775                                                
   |          |MD5 = 'df51041f0410fcb95955c0e9788e841f'                       
---+----------+---------------------------------------------------------------
3  |0019082Dh |Not a well-formed OLE object                                   
---+----------+---------------------------------------------------------------

The text was updated successfully, but these errors were encountered:

decalage2 self-assigned this May 23, 2024

decalage2 added 🐛 bug rtfobj oleid labels May 23, 2024

decalage2 added this to the Next Release milestone May 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rtfobj/oleid: Equation Editor objects not detected #858

rtfobj/oleid: Equation Editor objects not detected #858

decalage2 commented May 23, 2024

rtfobj/oleid: Equation Editor objects not detected #858

rtfobj/oleid: Equation Editor objects not detected #858

Comments

decalage2 commented May 23, 2024