 Hello, we are going to analyze a malicious rtf file that I received a rich text format file we can analyze this with my tool rtf dump and This is the file Okay, and here you get an overview of all the sequence sequences you find in this rtf file So let's pipe this through less and do this page by page page by page Okay, and it looks like we we find no embedded objects. So let's just explicitly filter for them for OLE objects and Indeed the rtf dump is not able to find Embedded objects inside it, but I know there are inside Because it's heavily obfuscated, but the rtf dump is not able to handle that obfuscation but still with some Manual options so we can extract that payload and that's what we are going to do now So if we look back at the file here So here in this column at age indicator That's a number of extradisimal characters that are found inside a sequence. So for example here sequence 4 we have 6989 extradisimal characters of which there are 252 extradisimal characters that are consecutive. So that's the longest extradisimal string inside that sequence 252 and also Unexpected 7 so there is probably some obfuscation in there And this here is contained in these other levels and you can see here the extradisimal Count for those levels. So and we always first start with large extradisimal Sequences and we start with the highest The sequence in with the highest level. So here four for that group So I select sequence 4 I'm going to pipe this through less Okay, and here we already see object data, but there is no asterix. That's why it was not recognized and so this is An OLE file Normally because of that object data and we can see that here with that sequence here of extradisimal Characters that is heavily obfuscated that you see a D here zero CF 11 E0 like dog file But it's not one continuous extradisimal string. There are Spaces in between no taps it looks like steps and here There is also another sequence inside. So that is what tries to Make the detection more difficult So we're going to launch our command again and now we are going to instruct instruct RTFDump to convert all those extradisimal characters to to binary and see what we get Okay, and here we see already equation 3 So this is probably an exploit for the equation editor vulnerability and Here we can see our dog file, but there there is an a Here that is unexpected that's because of the obfuscation and because of this a All the next bytes are shifted by four bits One nibble instead of Cs f you see zero C here and then f1 one e and so on So we will shift this there's an option in RTFDump to do this, but let's first go through the whole file the whole dump Okay, and we see some binary data, but that doesn't look clear to me what it is Yeah, so there's there's nothing that I can recognize so I'm going to Run this again, but with the shift Options or option a capital S. This will shift the extradisimal characters by one character So four bits or one nibble Okay, and now we no longer see equation here because it's shifted by four bits But here you can see the CF11 E0. So that is now in the correct order And let's go through the dump. Okay. Yeah, and indeed here who'd entry OLE comp object So this is indeed an OLE file Yeah, and indeed Equation so and here you see the payload So this is the exploit and now to finish I'm going to dump this Sequence so binary dump and pipe this through string and then here I can extract the payload