Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Detecting Compressed RTF SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting Compressed RTF

I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.

At first, I didn't know this. The reader, Salil, told us that he suspected that the URLs he was looking for, were in stream 67. I looked at stream 67, but couldn't find the content of the email.

Then I analyzed the content of the stream with my tool byte-stats.py, and noticed it was about 5 KB with a high entropy: 7.5...

So I thought that the content of this stream was probably compressed. But looking at the hexdump, I didn't recognize the compression method:

The first string in this hexdump is LZFu. LZ reminded me of Lempel-Ziv compression. A Google search for LZFu gave this:

That's when I found out about Compressed RTF, and then I created a decompression tool with the right module and a couple of lines.

I also updated my file-magic tool to detect Compressed RTF using this definition:

# 2018/10/26

#------------------------------------------------------------------------------
# Compressed RTF:  file(1) magic Compressed RTF
#
8       string  LZFu    Compressed RTF

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

481 Posts
ISC Handler
Oct 28th 2018

Sign Up for Free or Log In to start participating in the conversation!