Add files via upload

Advanced_Memory_Forensics_Threat_Hunting_and_Malware_Analysis/Advanced_Memory_Forensics_Threat_Hunting_and_Malware_Analysis.md

@@ -0,0 +1,35 @@
+# Abusing External Resource References MSOffice
+
+HTTP Web Server used in exercises: [[HTTPserver_corsdevserver_special.py]](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Abusing_External_Resource_References_MSOffice/www/HTTPserver_corsdevserver_special.py)<br/>
+WWW folder example in exercises (bitcoin.jpg - exploitable RTF document example): [[www]](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/tree/main/Abusing_External_Resource_References_MSOffice/www)<br/>
+<br/>
+## Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION:<br/>
+
+Video: [[Abusing External Resource References MSOffice [part1] - TEMPLATE_INJECTION]](https://youtu.be/tAn-Wm27Tww)<br/>
+<br/>
+Part1 - example Macro code for template:<br/>
+Sub Document_Open()<br/>
+<br/>
+Set objShell = CreateObject("Wscript.Shell")<br/>
+objShell.Run "calc"<br/>
+<br/>
+End Sub<br/>
+
+## Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION:<br/>
+
+Video: [[Abusing External Resource References MSOffice [part2] - OLEOBJECT_INJECTION]](https://youtu.be/7eQsjHCCvqU)<br/>
+
+Oleobject injection - Another method of abusing External Resource References.<br/>
+You can easily embed a link to another object (oleobject embedding) as example (rtf exploiting CVE-2017-11882) served as jpg file -> send as Content-type: "application/msword".<br/>
+
+Analyzing RTF document containing exploit - CVE-2017-11882:<br/>
+py -2 rtfdump.py AD238C4B.doc -s 7 -H -d > xxx.bin<br/>
+oledump.py -f l xxx.bin<br/>
+cut-bytes.py -d 0x23: xxx.bin > xxx2.bin<br/>
+oledump.py xxx2.bin -s 4 -d > xxx3.bin<br/>
+scdbg<br/>
+
+## References:
+DidierStevensSuite - https://github.com/DidierStevens/DidierStevensSuite<br/>
+scdbg - http://sandsprite.com/blogs/index.php?uid=7&pid=152<br/>
+oletools - https://github.com/decalage2/oletools<br/>