|
In yesterday's analysis "Analysis Of An "ms-msdt" RTF Maldoc", I forgot to include the output of my oledump plugin plugin_clsid. This plugin does a brute-force search for all classids defined in oletools:
And thus you can see the OLE stream contains an URL moniker. I also started a new plugin, to parse these OLE data structures: plugin_olestreams (it's a work in progress). Here is the output:
There is a lot of information in these streams. To spot the URLs, you can grep for url and item:
Didier Stevens |
DidierStevens 649 Posts ISC Handler Jun 6th 2022 |
| Reply Subscribe |
Jun 6th 2022 3 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
