This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…
rtfdump_V0_0_5.zip (https)
MD5: 14475C70D992FB72306D5F83815DDE19
SHA256: A26A60536509BA7CF55FF1876E8BC3A6DBA43F1EF8841F159D55411FD11B5078
Didier Stevens 
[…] Update: rtfdump.py Version 0.0.5 […]
Pingback by Overview of Content Published In February | Didier Stevens — Saturday 4 March 2017 @ 0:00
[…] rtfdump.py is a Python tool to analyze RTF documents. Running it on our sample produces a list will all “entities” in the RTF document (text enclosed between {}): […]
Pingback by Analysis of a CVE-2017-0199 Malicious RTF Document | NVISO LABS – blog — Wednesday 12 April 2017 @ 13:11
[…] rtfdump, […]
Pingback by CVE-2017-0199 Demo | Didier Stevens Videos — Saturday 22 April 2017 @ 22:26
[…] rtfdump, […]
Pingback by CVE-2017-0199 & Metasploit – Analysis | Didier Stevens Videos — Saturday 22 April 2017 @ 22:30
[…] are several good ways to decode an RTF file. Didier Stevens provides an extremely useful tool (rtfdump.py) to decode the contents of an RTF […]
Pingback by Microsoft Office Zero-Day: Detecting the HTA Handler Vulnerability (CVE-2017-0199) – Kevin Douglas — Monday 12 June 2017 @ 0:21
[…] this nice blogpost, @bluejay00 analyzes RTF malware with my rtfdump.py tool. But because of obfuscation, rtfdump.py is not able to extract the object. @bluejay00 […]
Pingback by I Will Follow (no, not talking about social media) | Didier Stevens — Thursday 6 July 2017 @ 20:54
[…] rtfdump của Didier Stevens (link: https://blog.didierstevens.com/2017/02/25/update-rtfdump-py-version-0-0-5/) […]
Pingback by Just another CVE-2017-0199 sample in the wild world! | 0day in {REA_TEAM} — Sunday 9 July 2017 @ 19:23