I made a small update to rtfdump and added new rules to rtf.yara.
This video is an intro to rtfdump:
This is a video on an RTF maldoc (MD5 07884483f95ae891845caf0d50ce507f) that contains an exploit for MS12-027 CVE-2012-0158:
This is a video on an RTF maldoc (MD5 4483ad299158eb54f6ff58b5346a36ee) that contains an exploit for MS10-087 CVE-2010-3333:
rtfdump_V0_0_3.zip (https)
MD5: 59DC23EE55F76C065A2A718DDFDB0E4E
SHA256: 46F9D768C6976AD5D4018EFDFD35DAE4212FEAE57871434A33CAEF028CB4CBA2
[…] Didier Stevens made a small update to rtfdump.py (now at version 0.0.3) and added new rules to rtf.yara. The blog post also includes videos that he’s uploaded showing his examination on a couple of RTF files containing known exploits. rtfdump: Update And Videos […]
Pingback by Week 31 – 2016 – This Week In 4n6 — Sunday 7 August 2016 @ 13:21
[…] rtfdump: Update And Videos […]
Pingback by Overview of Content Published In August | Didier Stevens — Sunday 18 September 2016 @ 18:36
Hello Didier, thank you for releasing your rtfdump. I always leverage the great tool.
Let me ask a question about the newest release 0.0.5 at 2017/02/11, in particular Trimdde function.
I know maldocs in the wild leverage \dde0{250} trick to make objdata extraction difficult. When I tried to investigate the control word, I found that nothing is written in RTFSpec v1.9.1. Could you tell me what the control word means if you know?
Comment by alcr9 — Saturday 22 April 2017 @ 15:15
AFAIK it’s not a control word, but it gets ignored by Word’s RTF parser.
Comment by Didier Stevens — Thursday 4 May 2017 @ 7:13
I see. Thank you for your reply!
Comment by alcr9 — Friday 7 July 2017 @ 6:37