oleobj: detect remote templates and other remote references in OLE files
decalage2 opened this issue · 2 comments
decalage2 commented
oleobj detects remote references in OpenXML files (docx, xlsx, pptx), but not in legacy OLE files (doc, xls, ppt). For example this sample is not detected:
- https://twitter.com/doc_guard/status/1710647730966519892
- https://bazaar.abuse.ch/sample/f393e8344867ebad8b65e0bc32f3dc6911a5064c0ec07b8436e93ff6b43bda51/
It looks like the remote template reference is in the 1Table stream, so a parser would need to be implemented unless we can find one.