Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

"ms-msdt" RTF Maldoc Analysis: oledump Plugins

Published: 2022-06-06
Last Updated: 2022-06-06 13:59:59 UTC
by Didier Stevens (Version: 1)
0 comment(s)

In yesterday's analysis "Analysis Of An "ms-msdt" RTF Maldoc", I forgot to include the output of my oledump plugin plugin_clsid.

This plugin does a brute-force search for all classids defined in oletools:

And thus you can see the OLE stream contains an URL moniker.

I also started a new plugin, to parse these OLE data structures: plugin_olestreams (it's a work in progress).

Here is the output:

There is a lot of information in these streams.

To spot the URLs, you can grep for url and item:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: maldoc rtf word
0 comment(s)
ISC Stormcast For Monday, June 6th, 2022 https://isc.sans.edu/podcastdetail.html?id=8036
Diary Archives