Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unknown CLSID B801CA65-A1FC-11D0-85AD-444553540000 #552

Closed
flix87 opened this issue Apr 2, 2020 · 5 comments
Closed

unknown CLSID B801CA65-A1FC-11D0-85AD-444553540000 #552

flix87 opened this issue Apr 2, 2020 · 5 comments
Assignees
@decalage2
Labels
clsid common.clsid module
Milestone
oletools 0.56

Comments

@flix87
Copy link

flix87 commented Apr 2, 2020
edited
Loading

rtfobj 0.55

0 |0000013Bh |format_id: 2 (Embedded)
| |class name: 'AcroExch.Document.DC'
| |data size: 14336
| |MD5 = 'a97f42f6fc046f33cca256e9a13fa5fa'
| |CLSID: B801CA65-A1FC-11D0-85AD-444553540000
| |unknown CLSID (please report at
| |https://github.com/decalage2/oletools/issues)
@decalage2 decalage2 self-assigned this Apr 2, 2020
@decalage2 decalage2 added the clsid common.clsid module label Apr 2, 2020
@decalage2 decalage2 added this to the oletools 0.56 milestone Apr 2, 2020
@decalage2
Copy link
Owner

It looks like it could be "Adobe Acrobat 7.0 Document" or simply "Adobe Acrobat Document".

@flix87
Copy link
Author

flix87 commented Apr 2, 2020

Yes it is and PDF.

@flix87
Copy link
Author

flix87 commented Apr 6, 2020

Now I do not getting an Error but I still can't open the file:
`rtfobj 0.55.2 on Python 2.7.12 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'rtf.rtf' - size: 2993950 bytes
---+----------+---------------------------------------------------------------
id |index |OLE Object
---+----------+---------------------------------------------------------------
0 |00000124h |format_id: 2 (Embedded)
| |class name: 'AcroExch.Document.DC'
| |data size: 1451520
| |MD5 = 'ba30391b4f30bf691160dc772a87f1c0'
| |CLSID: B801CA65-A1FC-11D0-85AD-444553540000
| |Adobe Acrobat Document - PDF file
---+----------+---------------------------------------------------------------
Saving file embedded in OLE object #0:
format_id = 2
class name = 'AcroExch.Document.DC'
data size = 1451520
saving to file rtf.rtf_object_00000124.bin
md5 ba30391b4f30bf691160dc772a87f1c0
`

@decalage2
Copy link
Owner

This is probably because there is some data from the OLE object before the actual start of the PDF file. You may open it in a hex editor, and remove everything before "%PDF", which is the beginning of the PDF file.
If this still doesn't work, maybe the file is heavily obfuscated or corrupt.

@flix87
Copy link
Author

flix87 commented Apr 6, 2020

Yes If I remove everthing before %PDF it works so the file is okay.
Can we fix that in oletools?

c-rosenberg pushed a commit to HeinleinSupport/oletools that referenced this issue Sep 16, 2020
@decalage2 @c-rosenberg
clsid: added CLSID for PDF files, fixes decalage2#552
d314abc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
clsid common.clsid module
Projects
None yet
Milestone
oletools 0.56
Development

No branches or pull requests
2 participants
@decalage2 @flix87