Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
We will soon disable TLS 1.0 for this site. Use this page to check if you may be using TLS 1.0

Latest Diaries

Sometimes it's a dud

Published: 2017-12-09
Last Updated: 2017-12-09 22:11:57 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader submitted a malicious RTF file, experiencing difficulty to find the malicious code.

It was delivered via email, we analyze the file with emldump.py:

I've seen such emails before:

They typically have a malicious document as attachment.

Here it's an RTF file:

We can analyze it with rtfdump.py:

The RTF file has no objects:

It's always possible that objects are so obfuscated, that rtfdump.py is not able to identify them. So let's take a look at the amount of hexadecimal characters we can find in the RTF file:

There's hardly any hexadecimal characters, the longest contiguous string of hexadecimal characters is just 20 characters long.

So this RTF file does not seem to contain malicious code. Looking at the file itself with a text editor, I came to the conclusion that it's just an empty RTF file (with metadata). With the metadata, I was able to find actual malicious RTF files produced by the same actor. So this must be a failed attempt at delivering malicious documents.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc rtf
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Using Our API To Adjust iptables Rules
Dec 8th 2017
2 days ago by Johannes (3 comments)

Apple Updates Everything. Again.
Dec 6th 2017
4 days ago by Johannes (0 comments)

PSA: Do not Trust Reverse DNS (and why does an address resolve to "localhost").
Dec 6th 2017
4 days ago by Johannes (0 comments)

IR using the Hive Project.
Dec 5th 2017
6 days ago by Tom (0 comments)

View All Diaries →

Latest Discussions

KRACK Attack
created Dec 5th 2017
5 days ago by AMB (0 replies)

Hex Values in the User Agent
created Nov 30th 2017
1 week ago by Anonymous (2 replies)

Finding the right forensics examiner
created Nov 26th 2017
2 weeks ago by Anonymous (0 replies)

Strange user-agent on DSHIELD project
created Nov 20th 2017
2 weeks ago by DrGreen (0 replies)

Suspicious traffic to unusual site names in the .info TLD
created Nov 16th 2017
3 weeks ago by jauntysankey (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
5 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
4 months ago by Johannes (12 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
3 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
3 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
7 months ago by Bojan (6 comments)