MSG Files: Compressed RTF

Published: 2018-10-21
Last Updated: 2018-10-22 06:22:04 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Reader Salil asked for help with the analysis of a .MSG file. We talked about the analysis of .MSG files before, and Salil was able to use my tool to look into the .msg file, but still had a problem finding URLs he knew were inside the email.

I took a look, and found the URLs inside compressed RTF.

Running with the MSG plugin and grepping for string body allows me to find streams that (might) contain the message body:

As Salil noted, stream 66 contains the message body, but without URLs:

Grepping with a bit more context reveals stream 67, also noticed by Salil:

Notice the string LZFu at position 0x08 inside the stream: this indicates that this stream contains compressed RTF.

This stream can be decompressed with my new tool, by dumping it and piping it into

Piping this decompressed RTF file into confirms that it is indeed a valid RTF document:

One way to extract the URLs, is too pipe the RTF document into my tool with the URL regex:

To quickly check if a .MSG file contains compressed RTF, one can use an ad-hoc YARA rule to search for string LZFu:


Didier Stevens
Senior handler
Microsoft MVP

Keywords: compression msg rtf
0 comment(s)


Diary Archives