Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - Detecting Compressed RTF InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Detecting Compressed RTF

Published: 2018-10-28
Last Updated: 2018-10-28 21:37:14 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.

At first, I didn't know this. The reader, Salil, told us that he suspected that the URLs he was looking for, were in stream 67. I looked at stream 67, but couldn't find the content of the email.

Then I analyzed the content of the stream with my tool byte-stats.py, and noticed it was about 5 KB with a high entropy: 7.5...

So I thought that the content of this stream was probably compressed. But looking at the hexdump, I didn't recognize the compression method:

The first string in this hexdump is LZFu. LZ reminded me of Lempel-Ziv compression. A Google search for LZFu gave this:

That's when I found out about Compressed RTF, and then I created a decompression tool with the right module and a couple of lines.

I also updated my file-magic tool to detect Compressed RTF using this definition:

# 2018/10/26

#------------------------------------------------------------------------------
# Compressed RTF:  file(1) magic Compressed RTF
#
8       string  LZFu    Compressed RTF

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
0 comment(s)
Diary Archives