Reader Salil asked for help with the analysis of a .MSG file. We talked about the analysis of .MSG files before, and Salil was able to use my oledump.py tool to look into the .msg file, but still had a problem finding URLs he knew were inside the email. I took a look, and found the URLs inside compressed RTF. Running oledump.py with the MSG plugin plugin_msg.py and grepping for string body allows me to find streams that (might) contain the message body: As Salil noted, stream 66 contains the message body, but without URLs: Grepping with a bit more context reveals stream 67, also noticed by Salil: Notice the string LZFu at position 0x08 inside the stream: this indicates that this stream contains compressed RTF. This stream can be decompressed with my new tool decompress_rtf.py, by dumping it and piping it into decompress_rtf.py: Piping this decompressed RTF file into rtfdump.py confirms that it is indeed a valid RTF document: One way to extract the URLs, is too pipe the RTF document into my tool re-search.py with the URL regex: To quickly check if a .MSG file contains compressed RTF, one can use an ad-hoc YARA rule to search for string LZFu:
Didier Stevens |
DidierStevens 532 Posts ISC Handler Oct 22nd 2018 |
Thread locked Subscribe |
Oct 22nd 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!