Didier Stevens

Wednesday 11 March 2020

CLSIDs in OLE Files

Filed under: maldoc,My Software — Didier Stevens @ 0:00

Directory entries in “OLE” files (Compound File Binary Format) have a GUID field. Like this “Root Entry” inside a binary Word document file (Doc1.doc):

The GUID value found in this directory entry is: 00020906-0000-0000-C000-000000000046 (the endianness of GUIDs is mixed-endian: it’s a mix of little-endian and big-endian).

This GUID is a COM class id (CLSID) for Word.

You can display the CLSID with oledump.py using option -E to display extra information. Use parameter %CLSID% to display the CLSID, like this:

No class IDs were displayed in this output, and that’s because all the CLSID fields in the directory entries of these streams are zero (16 0x00 bytes). Most of the time, streams in Office documents have no CLSID. You’re more likely to find CLSIDs inside the directory entries of storages. To include storages in oledump’s output, use option –storages like this:

Starting with version 0.0.46, oledump.py will also display the Root Entry. And as can be seen in the above output, the Root Entry of this .doc file has a CLSID.

Philippe Lagadec, the developer of olefile and oletools, maintains a list of CLSIDs relevant to Office documents.

When oletools is installed, oledump.py looks up CLSIDs in this list when you use parameter %CLSIDDESC% (CLSID description). Here is the same command as before, but with parameter %CLSIDDESC%:

This result shows that 00020906-0000-0000-C000-000000000046 is COM Object “Microsoft Word 97-2003 Document (Word.Document.8)”.

 

Class IDs can also be found inside some streams, and that’s why I developed a new oledump.py plugin: plugin_clsid.py.

This plugin searches for CLSIDs (defined in oletools) inside streams. Like in this malicious document:

With the class IDs found in this stream, one can quickly conclude that this must be an exploit for the URL moniker.

And here is the Root Entry CLSID for this document:

 

 

4 Comments »

  1. The plugin_CLSID analyse only the VBAProject.bin, but in other parts of an Excel file there are several UUID’s as well. The number depends on the Excel-Version and the document-management-system.

    Can these UUID’s reveal any information about the Author?

    Here is a VBA-Code to extract the UUID’s: https://www.herber.de/bbs/user/135761.txt

    Comment by N. Ano — Wednesday 11 March 2020 @ 8:11

  2. Testing the plugin_clsid with a xlsm the result was 1 clsid. For the same file my little Powershell-Script shows 23 clsid. Maybe it is helpful:

    $Pfad = ‘C:\Users\xxxx\Desktop\’
    $VBA = get-content ($Pfad + ‘VBAProject.bin’) -Encoding Byte
    foreach ($B in $VBA) {
    if ($B -ne 0x00) { $Tx = $Tx + [char]$B }
    }
    $RegEx = $Tx | Select-String -Pattern ‘\w{8}-\w{4}-\w{4}-\w{4}-\w{12}’ -AllMatches
    $RegEx.Matches.value

    Comment by A.Nony — Wednesday 11 March 2020 @ 11:37

  3. This is normal: it’s how I designed oledump.py.

    The file you are testing with, something.xlsm, is not an “ole” file. .xlsm files (and .xlsx, .docx, .docm, …) are Open Office XML files (OOXML): a ZIP container, containing XML files.

    oledump.py is designed to analyze ole files (CFB): either when given an ole file directly as argument, or when it is present inside ZIP containers. OOXML files with macros contain at least one ole file: the file with the VBA macros. That’s what oledump analyzes.

    If you want to analyze the XML files, you can use my tools zipdump.py and re-search.py.

    Comment by Didier Stevens — Wednesday 11 March 2020 @ 17:25

  4. […] Didier Stevens CLSIDs in OLE Files  […]

    Pingback by Week 11 – 2020 – This Week In 4n6 — Sunday 15 March 2020 @ 11:29


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.