 Hello again, this time we are going to use rtfdump to analyze a real malicious rtf file. This is the file sample and as you can see it contains an enormous amount of items, almost 23,000. So that's a strong indication of obfuscation. So let's filter out four items that contain an object. Okay, and now we have a much simpler overview. So we have here those entries nested that contain objects here, about 10,000 exodysmal characters. Also, more than a million characters in total. So it's clear that this contains a lot of obfuscation. So here we see 166 contains 11,429 exodysmal characters, like the previous ones. And then this child here contains 2,315. So we are going to look first at this one here, 166. So we select 166, we want the Hextech code and since it is an object we also want information about the object. Like this. Okay, and we see the information, the name, the position and the size, the hash, and the magic. So this is an OLE file. The magic header here, g0cf11e0 tells us it's an OLE file. So we are going to extract this OLE file and parse it with OLE dump. So we select 166, we want the Hextech code and we are going to cut out the OLE file. So position 33 and the size E00, so that's the length. We want to dump this, that's the sample, and now we pass this on to OLE dump, okay. And we get an error. Now OLE dump recognizes this as an OLE file, otherwise we would not get an error but a warning telling us that it's not a valid OLE file, okay, but it recognizes an OLE file. The problem here is in parsing the OLE file itself and you see here incorrect OLE fat sector index out of range and the OLE is secure in the OLE file module, okay. So we are a bit stuck here to analyze this with OLE dump, so we are going to try something else. RTFDump also supports JARA like this and I have a couple of JARA rules here and we want those JARA rules to scan through the strings that contain hexadecimal data. So we are going to do a hex decode on this sample, okay, and this is interesting now. We see again what we have the same, objects 160, 165, 166, 167 and in our objects 166 we have three JARA rules that triggered. The first one for an RTF object, okay, sorry that's the last one, but this one triggers for an RTF object, now that's not surprising here because it indeed contains an object. This one here, this rule indicates that this object contains a string HTTP, so somewhere in binary data there is a string HTTP, so that's interesting. And also there is a class ID for list view 2. Now there are exploits for this COM object and it's possible that this sample here, this malicious document contains an exploit which is a downloader via HTTP. So we are going to try to find out where this is located and we can do this by using the same command, but with option JARA strings. And this will tell us more information about the strings that are found, like this, okay. So objects 66 are string HTTP. One instance of that string HTTP is found at location 0, 0, 0, sorry, 0, 0, 0, CB6. So let's cut out this position out of the data and see what we have here. So CB6, an RTF dump of 166, hex decode, and we want this from CB6 and we are going to take 100 hexadecimal bytes and this in our sample. Okay and indeed we discovered HTTP and it is a URL. You have here the URL and the extension ll.exe is a strong indication that it is indeed an executable PE file that is downloaded. So since we also saw the class ID for list view, this is probably an exploit and we can also then expect to find shellcode. So let's see what we find here before this data. So we will issue the same command, but we will look at a bit more bytes at 300 hex bytes in total and let's start from AB6 instead of CB6, so 200 hex bytes earlier, like this. Okay, and we have our string here and then a lot of bytes here. Now if you look closely you see some words like exit here, proc, URL here, hwin here and then here there are question marks if you look here, 909090. So this looks like a small knob slit. So this is very likely shellcode for an exploit and we are going to extract that shellcode and take a closer look at it. So we have a small knob slit here, 909090 and then here it falls by 33c9. So we are going to search for that sequence and then select the data, cut the data out of the stream with that position that we find. So we do it like this. So a hex decode and we are going to cut, but this time instead of giving a position we're going to give bytes that have to be found inside the sequence of bytes, so 33c9. That's our sequence that we want to find and when we have found that we are going to take 150 hexadecimal bytes out of that sample. Like this. Now we have this here, a small knob slit, shellcode and URL. So we can try to analyze this. I'm going to show two methods. For the first method we take exactly the same command, but instead of doing a naski hex dump we will dump it and disassemble it with radar2. So disassembler here. We expect that it is x86 code. It's binary data that we pipe into it. We want to disassemble it and also see the hex code and so we want to take it from standard input because we are piping it into it. So indeed here at the end we see our zeros, but this looks indeed like shellcode. This here, yeah, the knob slit, the xor ecxc6 to zero ecx register. So this is a shellcode, it disassembles. This here looks less than shellcode, but this is because this is actually the URL. You can see http colon slash slash. So another method, we are going to do that with a shellcode. We are going to decode this with a shellcode emulator for libmu. Now I only have this for windows, so I'm going to use wine here to use that windows2. So first of all, instead of disassembling it with radare, let's put it in a file because that shellcode emulator needs a file. Then we run wine, the shellcode emulator, and we pass it the shellcode as a file, like this. Okay, so this is your output from wine, but here, from here on, you can see the output from the shellcode emulator. So it reads the bytes, and you can see what the shellcode actually does. It uses URL download to file API call to download from this URL and write this to fileword.scr, and then it executes that file and exits.