|
I received another RTF file (with .doc extension) via email. Let's take a look with rtfdump:
It looks like there are no embedded objects, let's make sure by filtering:
There are no embedded objects, or they are so heavily obfuscated that rtfdump doesn't find them. To exclude this hypothesis, we look for hexadecimal digits:
Some of the sequences (like 17 and 18) contain 1329 hexadecimal characters, but only strings of 5 or 6 contiguous hexadecimal characters. Either this is extremely obfuscated, or it doesn't contain exploits, but is rather phising. Searching for URLs:
Indeed, it is phishing (NetEase / 163 is a Chinese Internet company):
Didier Stevens |
DidierStevens 597 Posts ISC Handler Jan 20th 2018 |
| Thread locked Subscribe |
Jan 20th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
