Threat Level: green Handler on Duty: Russ McRee

SANS ISC: An RTF phish - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
An RTF phish

I received another RTF file (with .doc extension) via email. Let's take a look with rtfdump:

It looks like there are no embedded objects, let's make sure by filtering:

There are no embedded objects, or they are so heavily obfuscated that rtfdump doesn't find them. To exclude this hypothesis, we look for hexadecimal digits:

Some of the sequences (like 17 and 18) contain 1329 hexadecimal characters, but only strings of 5 or 6 contiguous hexadecimal characters.

Either this is extremely obfuscated, or it doesn't contain exploits, but is rather phising.

Searching for URLs:

Indeed, it is phishing (NetEase / 163 is a Chinese Internet company):

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

281 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!