Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Analysis Of An "ms-msdt" RTF Maldoc - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analysis Of An "ms-msdt" RTF Maldoc

Malicious document "aaa.rtf" is an RTF file that downloads a html file that uses the ms-msdt handler to get a PowerShell script executed. This is explained in our diary entry "New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme (CVE-2022-30190)".

To analyze RTF files, I use my tool

In the list of RTF entities, there's an object with an objclass + URL and objdata embedded object:

Here is the URL of the objclass:

And here are the objects:

The first object is an OLE file that can be piped into for analysis:

The \1Ole and \3LinkInfo streams contain URLs:

The structure of these streams is documented by Microsoft. But parsing is not necessary for this sample, we can also just extract the strings:

Looking on VirusTotal for the relations of this maldoc, I found PowerShell scripts and a Cobalt Strike beacon:


Didier Stevens
Senior handler
Microsoft MVP


649 Posts
ISC Handler
Jun 5th 2022

Sign Up for Free or Log In to start participating in the conversation!