 Hello, in this video I want to show you my new rtf tool. rtf dump is another dump tool to analyze rtf files, so rich text format files. And I've prepared a couple of simple examples, like the first one here. This is a very very simple rtf file. So rtf files are composed of nested strings that start with a brace and stop with a closing brace, like this here. So this is one string and this is a control word. Here inside you have another nested string and then another one. And here you also have in that string data. Now if you run rtf dump on it, you will get this output. So it contains three nested strings and for every string you find an entry. The first column here is just the number I add to the string so that you can select it like I used to do in my other dump tools. Then here you have the nesting level. We start at level 1. The second string is level 2 because it is nested in a level 1 string and the third string is level 3 because it is nested in level 2 string. This here indicates the number of children. So this string here has one child, that's a level 2. The level 2 has also one child, that's a level 3. And the level 3 has no children. This here, the P, is the position. So this is the position in the rtf file where we can find this string. And this is, so that's in hexadecimal. And here you have the length of that string. These numbers here I will explain later. And then here you have the control word at the end. Now like in my other dump tools you can select like this. We select the first string of this simple rtf file and then we have a hexasci dump of what we selected. You can also do a next dump like in my tools or just a row dump like this and then you have the nested data. If we select the second one we have this and if we select the third string then we have the data. Now this was a very simple rtf file. Normally the rtf files in which we are interested, so the malicious rtf files, they will contain some embedded objects. And this is done with hexadecimal characters. So this one here, this second example is exactly like the first one, but the difference here instead that just the word data here, now we have hexadecimal data. And this hexadecimal data here starts with 01050000200000. This here is the sequence that I use to detect objects. Objects are special representations with the hexadecimal data that you find in rtf files. So let's do a dump of this one here and let me redo a dump of the first one so that we can compare. So again the output is very similar because we only have three nested levels here and one difference you notice here that is here in this column we have an O, an uppercase O. This uppercase O is important because this is the indicator that it contains an object. And how does it detect that it contains an object? Well first of all that it contains hexadecimal data and that hexadecimal data starts with this hex sequence here. And now I can also explain this column here. This column is a number of hexadecimal digits that is found inside that string. So in these strings here we find 614 hexadecimal digits and that's this here. And the two other ones, those are only important when we are dealing with obfuscation. The B is for bin words and U is for unexpected characters. So if you analyze a real rtf file you will have a lot of strings or a lot of output and data and since we are interested in the objects it's interesting to focus first on those objects and you can do that with a filter like this filter O. And by doing this you will only get the output that has this indicator set. In this case we have all of them. Now we will select the most inner level, select 3, here we have a hexaskey dump. But when we have hex data we can also instruct our tfdump to decode that hexadecimal data here with an uppercase h option like this. And here now we have a hexaskey dump of the decoded hexadecimal and now we can already start to recognize words like here package and here filenames things like that. Now if the hexadecimal data is an object then we can also ask information about that object with option E info and then you get the name of the object here it is package. The position in the data stream here where the object starts that's hexadecimal and also the size of the embedded object here that's also hexadecimal. And of that embedded object you also get the MD5 hash and the magic header so that's the first 4 bytes of that object. You can cut out that object by using option cut. I have a video on this because I have that cut option in many of my dump tools so we want to start to cut at position 20 and we want to cut for 100nb files long so L to indicate that there is a length like this and then here we cut out the object. We can also instead of do an ASCII dump of that object dump it a raw dump and this of course can be redirected to a file like this. So now after showing you those two very simple rtf files I'm going to look at another rtf file also rather simple but this one here is an rtf file that was created with wordpad here document rtf and you can see here it starts with rtf1 but then it contains many other nested strings here you can see word document 8 and then here you can recognize hexadecimal data here with the indicator of an object ok it goes on for a while here and then it ends. This rtf document is a document that I made with wordpad I took a word document so not a wordpad document but a word document a doc file and I embedded this in this rtf file so if we do now rtf dump of that document you get this output here you can see we have already more with the different control words and here we have an indication here an indicator for an object so if we would have more we could filter and have a smaller overview so it's in object 7 so let's select object 7 it's hexadecimal and it's an object so we will decode it and request the information about that object like this ok so now we see that the name is word document dot 8 start at position 28 the size is 6C00 this is the md5 and this is the magic and here you can see the magic is d0cf11e0 which you could read as doc file so this is actually an olif file that is embedded in that rtf file so we can extract that that olif file by selecting it so we start at position 28 the length is 6C sorry I have to put my hex indicator 6C00 that's a length so thereby here we select we cut out out of the stream the olif document and then we can dump it and we could for example write it to file but I'm not going to do that I'm going to pipe it directly in my olif file analysis tool olidump like this sorry this went wrong because I forgot here the C and to remove sorry we want to hex decode but instead of S I had to do a C cut like this ok and then we get the dump of the olif document which is a word document