In diary entry “Quick Howto: Extract URLs from RTF files” I mentioned ZIP files.
There are OLE objects inside this RTF file:
They can be analyzed with oledump.py like this:
Options –storages and -E %CLSID% are used to show the abused CLSID.
Stream CONTENTS contains the URL:
We extracted this URL with the method described in my previous diary entry “Quick Howto: Extract URLs from RTF files“.
But this OLE object contains a .docx file.
A .docx file is a ZIP container, and thus the URLs it contains are inside compressed files, and will not be extracted with the technique I explained.
But this file can be looked into with zipdump.py:
It is possible to search for ZIP files embedded inside RTF files: 50 4B 03 04 -> hex sequence of magic number header for file record in ZIP file.
Search for all embedded ZIP files:
Extract URLs:
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.