I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. Use promo-code SPRING16 for a 10% discount.
This new version of oledump brings an update to the –cut option and a new plugin: plugin_hifo.
As I documented in this ISC Diary entry, maldocs can store URLs in properties of userforms:
The plugin plugin_hifo is a simple plugin that looks for streams that end with /o and then searches for strings starting with http (hence the name: http in form /o).