CLSIDs in OLE Files

Directory entries in “OLE” files (Compound File Binary Format) have a GUID field. Like this “Root Entry” inside a binary Word document file (Doc1.doc):

The GUID value found in this directory entry is: 00020906-0000-0000-C000-000000000046 (the endianness of GUIDs is mixed-endian: it’s a mix of little-endian and big-endian).

This GUID is a COM class id (CLSID) for Word.

You can display the CLSID with oledump.py using option -E to display extra information. Use parameter %CLSID% to display the CLSID, like this:

No class IDs were displayed in this output, and that’s because all the CLSID fields in the directory entries of these streams are zero (16 0x00 bytes). Most of the time, streams in Office documents have no CLSID. You’re more likely to find CLSIDs inside the directory entries of storages. To include storages in oledump’s output, use option –storages like this:

Starting with version 0.0.46, oledump.py will also display the Root Entry. And as can be seen in the above output, the Root Entry of this .doc file has a CLSID.

Philippe Lagadec, the developer of olefile and oletools, maintains a list of CLSIDs relevant to Office documents.

When oletools is installed, oledump.py looks up CLSIDs in this list when you use parameter %CLSIDDESC% (CLSID description). Here is the same command as before, but with parameter %CLSIDDESC%:

This result shows that 00020906-0000-0000-C000-000000000046 is COM Object “Microsoft Word 97-2003 Document (Word.Document.8)”.

 

Class IDs can also be found inside some streams, and that’s why I developed a new oledump.py plugin: plugin_clsid.py.

This plugin searches for CLSIDs (defined in oletools) inside streams. Like in this malicious document:

With the class IDs found in this stream, one can quickly conclude that this must be an exploit for the URL moniker.

And here is the Root Entry CLSID for this document:

 

 

Article Link: https://blog.didierstevens.com/2020/03/11/clsids-in-ole-files/