 And oh again, we are going to take a look at a second rtf malicious sample Now this one is heavily obfuscated. So it will take some time about 30 seconds before it's completely parsed and in the rest of the video I will cut out these dead moments And you see a very very long list more than 300,000 entries So let's filter for objects and there are no objects to be found here this time So let's use jara to see if we can find out something I'm not going to run it on hex first because I don't know if it Contains actual objects or Xcode. Let's just run the rtf jara rules on the rtf file itself So without decoding any Potential hex Okay, and we have something we have Detection for a string p fragments now p fragments that is a control word that is used in in rtf documents and There is an exploit for p fragments in The Windows rtf parser in the Microsoft rtf parser So what do we have here? So of course we have the level one the rtf document itself that contains the p fragment But then we find it here in these objects which appear to be nested This one here contains six hundred sixty-two Exit a small digits and this one six six one Exit a small digits. So let's first take a look at this one here We are just going to select it not yet decode the hex just select it and see what We can discover Yeah, okay, that here is a lot of obfuscation And here we have hex code hexadecimal code Yeah, and this here With the p fragments here and we're svsv and this thing here This looks like a typical exploit for that parsing of the p fragments control word and more Obfuscation and here we have the control words, okay So let's take a closer look at the hex code here. I forgot the number I'm going to go back here to my previous command and Ask for hex decode and here we see a URL HTTP and also here command.exe This could be Shell code and here this could be a small nopsnet 9 0 9 0 and so on nop nop nops. So it starts at position 35 So let's extract this So let's cut this at position 35 and then we want everything until the end of The data we want to dump this because we are going to Run this through the shell code emulator. So let me pipe this into shell code Not bin, not vich game And let's now use the shell code emulator Yeah, and it is indeed again shell code that is a downloader. We see URL download to fiery from this URL To this file and dot exe file and then it is executed not straight executed, but this time through command.exe and then an exit