Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

An RTF phish

Published: 2018-01-20
Last Updated: 2018-01-20 22:36:00 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I received another RTF file (with .doc extension) via email. Let's take a look with rtfdump:

It looks like there are no embedded objects, let's make sure by filtering:

There are no embedded objects, or they are so heavily obfuscated that rtfdump doesn't find them. To exclude this hypothesis, we look for hexadecimal digits:

Some of the sequences (like 17 and 18) contain 1329 hexadecimal characters, but only strings of 5 or 6 contiguous hexadecimal characters.

Either this is extremely obfuscated, or it doesn't contain exploits, but is rather phising.

Searching for URLs:

Indeed, it is phishing (NetEase / 163 is a Chinese Internet company):


Didier Stevens
Microsoft MVP Consumer Security

Keywords: maldoc phishing rtf
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Followup to IPv6 brute force and IPv6 blocking
Jan 19th 2018
1 day ago by Jim (1 comment)

Comment your Packet Captures!
Jan 18th 2018
2 days ago by Xme (2 comments)

Reviewing the spam filters: Malspam pushing Gozi-ISFB
Jan 17th 2018
3 days ago by Brad (3 comments)

Decrypting malicious PDFs with the key
Jan 15th 2018
5 days ago by DidierStevens (0 comments)

Peeking into Excel files
Jan 14th 2018
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Work logs for hunting
created Jan 18th 2018
2 days ago by Anonymous (0 replies)

What is airbnb doing?
created Jan 9th 2018
1 week ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
2 weeks ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
2 weeks ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
4 weeks ago by Tony (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
6 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
5 months ago by Johannes (12 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 month ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
4 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
5 months ago by Xme (2 comments)