Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Detecting Compressed RTF - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting Compressed RTF

I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.

At first, I didn't know this. The reader, Salil, told us that he suspected that the URLs he was looking for, were in stream 67. I looked at stream 67, but couldn't find the content of the email.

Then I analyzed the content of the stream with my tool byte-stats.py, and noticed it was about 5 KB with a high entropy: 7.5...

So I thought that the content of this stream was probably compressed. But looking at the hexdump, I didn't recognize the compression method:

The first string in this hexdump is LZFu. LZ reminded me of Lempel-Ziv compression. A Google search for LZFu gave this:

That's when I found out about Compressed RTF, and then I created a decompression tool with the right module and a couple of lines.

I also updated my file-magic tool to detect Compressed RTF using this definition:

# 2018/10/26

#------------------------------------------------------------------------------
# Compressed RTF:  file(1) magic Compressed RTF
#
8       string  LZFu    Compressed RTF

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

289 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!