Last Updated: 2022-06-06 13:59:59 UTC
by Didier Stevens (Version: 1)
This plugin does a brute-force search for all classids defined in oletools:
And thus you can see the OLE stream contains an URL moniker.
I also started a new plugin, to parse these OLE data structures: plugin_olestreams (it's a work in progress).
Here is the output:
There is a lot of information in these streams.
To spot the URLs, you can grep for url and item: