Detecting Compressed RTF, (Sun, Oct 28th)

News

I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.

At first, I didn’t know this. The reader, Salil, told us that he suspected that the URLs he was looking for, were in stream 67. I looked at stream 67, but couldn’t find the content of the email.

Then I analyzed the content of the stream with my tool byte-stats.py, and noticed it was about 5 KB with a high entropy: 7.5…

So I thought that the content of this stream was probably compressed. But looking at the hexdump, I didn’t recognize the compression method:

The first string in this hexdump is LZFu. LZ reminded me of Lempel-Ziv compression. A Google search for LZFu gave this:

That’s when I found out about Compressed RTF, and then I created a decompression tool with the right module and a couple of lines.

I also updated my file-magic tool to detect Compressed RTF using this definition:

# 2018/10/26

#——————————————————————————
# Compressed RTF:  file(1) magic Compressed RTF
#
8       string  LZFu    Compressed RTF

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: SANS Internet Storm Center
Detecting Compressed RTF, (Sun, Oct 28th)