Detection of TypeLib ID should also check for parent relationship

[metthal]

Detection of TypeLib ID in .NET samples is through CustomAttributes .NET table where it checks that it points to MemberRef table of GuidAttribute type. However there's one check missing and that is Parent relationship of the custom attribute which must point to AssemblyRef in order to be valid TypeLib ID. Otherwise we're detecting random GUIDs connected to just some types in the .NET module. Examples of samples:

36b7ac044cf48ef7babf72bdcb39df51713735db6a0b2e7d6a297c01d8ceee8a
460e993ef177d700fa571c9bcaf0f6a5a22e1bac9f68a42eda1f2f14ee847ebc
4d5af57da4d0c87249bd3855064a1081d34915e72829097a09f2d51b24544e1c
756684f4017ba7e931a26724ae61606b16b5f8cc84ed38a260a34e50c5016f59
76efb5ca3412d03d43c87c58059b87db13afcac25f6d4e9eff15a9578dc831a1
a581f21030a511664b0801aa3dcd7359b85ce4aa7cae793eac369d8749b9c39e

[HoundThe]

Shouldn't the reference be to Assembly instead of AssemblyRef?