You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All of the attached files have executables embedded using this technique, but none of the oletools seem to be able to recognize or extract these types of objects.
I'm still researching this technique and will update this ticket if I find anything useful.
While running syria.pps through olefile, I did notice the following:
#!python
DEBUG property id=13: type=4126 offset=108
DEBUG property id=13: type=4126 not implemented in parser yet
DEBUG property id=12: type=4108 offset=1D1
DEBUG property id=12: type=4108 not implemented in parser yet
Original comment byPhilippe Lagadec (Bitbucket: decalage, GitHub: decalage2):
Hi Jeremy,
Part of the code to extract OLE Package objects is already in the oleobj.py module, but I haven't added the code to make it a command-line tool yet.
For now it is only used by rtfobj for RTF files.
Originally reported by: Jeremy Humble (Bitbucket: jeremy_humble, GitHub: Unknown)
I've noticed an uptick lately in phishing campaigns sending out documents with embedded package objects (https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/packager_what_is_obj_pkg.mspx?mfr=true)
All of the attached files have executables embedded using this technique, but none of the oletools seem to be able to recognize or extract these types of objects.
I'm still researching this technique and will update this ticket if I find anything useful.
While running syria.pps through olefile, I did notice the following:
archive password is infected.
The text was updated successfully, but these errors were encountered: