New Explode Module: EXPLODE_RTF #62
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
explode_rtf.py is a scanning module to explode the objects inside an RTF. It uses rtfobj from decalge's oletools to perform the object extraction. An example of the module's function is below. I have included running rtfobj against a sample RTF followed by the metadata output created by the RTF module and the output files. '''[user@localhost laikaboss]# rtfobj mysample.rtf rtfobj 0.50 - http://decalage.info/python/oletools THIS IS WORK IN PROGRESS - Check updates regularly! Please report any issue at https://github.com/decalage2/oletools/issues =============================================================================== File: 'mysample.rtf' - size: 223826 bytes ---+----------+-------------------------------+------------------------------- id |index |OLE Object |OLE Package ---+----------+-------------------------------+------------------------------- 0 |000000D1h |format_id: 2 |Filename: '1.jpg' | |class name: 'Package' |Source path: 'C:\\Documents and | |data size: 108421 |Settings\\user\\Meus | | |doc\\sdd2ss | | |imagens\\1.jpg' | | |Temp path = 'C:\\Documents and | | |Settings\\user\\Meus | | |doc\\sdd2ss | | |imagens\\2.jpg' ---+----------+-------------------------------+------------------------------- ''' [user@localhost laikaboss]# python laika.py mysample.rtf '''... "EXPLODE_RTF": { "Parsed_Objects_Metadata": { "Index": 0, "Temp Path": "C:\\Documents and Settings\\user\\Meus doc\\sdd2ss imagens\\2.jpg", "Type": "OLEPackage", "Source Patch": "C:\\Documents and Settings\\user\\Meus doc\\sdd2ss imagens\\1.jpg", "Filename": "1.jpg" } ''' [user@localhost laikaboss]# ls -lart ~/EXPLODED/c80f57df-e2bb-49ac-9014-f96016b4975a '''e0a35273-1ad5-4e0a-a35e-b87e4cc4411e .. e_rtf_object_000000D1.olepackage -> e0a35273-1ad5-4e0a-a35e-b87e4cc4411e result.json mysample.rtf -> c80f57df-e2bb-49ac-9014-f96016b4975a c80f57df-e2bb-49ac-9014-f96016b4975a''' Note: Requires a dispatch (dispatch.yara) addition. rule type_is_rtf { meta: scan_modules = "EXPLODE_RTF" file_type = "rtf" condition: uint32(0) == 0x74725c7b }
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
explode_rtf.py is a scanning module to explode the objects inside an RTF. It uses rtfobj from decalage's oletools to perform the object extraction.
Input is an RTF. Output is extracted embedded objects in the RTF file. Output types can be OLE, OLE package, or just a raw object. Extracted objects will have appropriate file headers if they are not a raw object type (all part of declage's code). EXPLODE_RTF module also adds metadata about the object when possible. An example of the module's function is below. I have included running rtfobj against a sample RTF followed by the metadata output created by the RTF module and the output files.
Note: Requires a dispatch (dispatch.yara) addition.