"ms-msdt" RTF Maldoc Analysis: oledump Plugins
In yesterday's analysis "Analysis Of An "ms-msdt" RTF Maldoc", I forgot to include the output of my oledump plugin plugin_clsid.
This plugin does a brute-force search for all classids defined in oletools:

And thus you can see the OLE stream contains an URL moniker.
I also started a new plugin, to parse these OLE data structures: plugin_olestreams (it's a work in progress).
Here is the output:


There is a lot of information in these streams.
To spot the URLs, you can grep for url and item:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
  
  ×
  
  ![modal content]() 
  
  
Diary Archives
         
              
Comments