Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MSG Files: Compressed RTF - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MSG Files: Compressed RTF

Reader Salil asked for help with the analysis of a .MSG file. We talked about the analysis of .MSG files before, and Salil was able to use my oledump.py tool to look into the .msg file, but still had a problem finding URLs he knew were inside the email.

I took a look, and found the URLs inside compressed RTF.

Running oledump.py with the MSG plugin plugin_msg.py and grepping for string body allows me to find streams that (might) contain the message body:

As Salil noted, stream 66 contains the message body, but without URLs:

Grepping with a bit more context reveals stream 67, also noticed by Salil:

Notice the string LZFu at position 0x08 inside the stream: this indicates that this stream contains compressed RTF.

This stream can be decompressed with my new tool decompress_rtf.py, by dumping it and piping it into decompress_rtf.py:

Piping this decompressed RTF file into rtfdump.py confirms that it is indeed a valid RTF document:

One way to extract the URLs, is too pipe the RTF document into my tool re-search.py with the URL regex:

To quickly check if a .MSG file contains compressed RTF, one can use an ad-hoc YARA rule to search for string LZFu:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

289 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!